Bottom Line Up Front
When one of your users clicks “Accept” on a Teams guest invitation from an external tenant, every Microsoft Defender for Office 365 protection you pay for disappears instantly. Safe Links, Safe Attachments, ZAP, anti-phishing, DLP – none of them apply anymore. The user is now 100 % under the security posture (or lack thereof) of the tenant that sent the invite.
This is not a bug. It is how Microsoft designed B2B collaboration.
What changed in November 2025 is MC1182004 – the “chat with any email address” feature that is on by default for most commercial licenses. It turns every Teams client into an automated guest-invitation machine that sends legitimate-looking emails from no-reply@microsoft.com, completely bypassing your email gateway.
Result: attackers can spin up a $4–$6/month tenant, leave Defender completely unlicensed or deliberately disabled, and drop malicious files straight into your users’ chats with zero scanning.
Technical Details
| Component | What Actually Happens When a User Joins as Guest |
|---|---|
| Authentication | User authenticates with home tenant → guest object created in resource tenant |
| Policy evaluation | All EOP & Defender for Office 365 policies run only in the resource tenant |
| Safe Links | No rewriting, no detonation |
| Safe Attachments | No sandboxing |
| Zero-hour Auto Purge (ZAP) | Does not execute |
| Anti-phishing / DLP | Uses resource-tenant rules only |
| Conditional Access / MFA | Home-tenant CA applies at sign-in only – not re-evaluated inside the guest session |
| Audit logs | Activity visible only in the resource tenant |
Real-World Attack Flow (Observed in Red-Team Exercises This Week)
- Attacker registers a new Microsoft 365 tenant (Teams Essentials or Business Basic – $0 trial → $4–6/mo)
- Does not buy Defender for Office 365 (or disables default policies)
- Opens Teams → types victim email → MC1182004 sends invite from no-reply@microsoft.com
- Victim accepts → lands in a tenant with zero modern protection
- Attacker shares .lnk, .iso, macro doc, or OneDrive link → lands clean
Cost: <$10. Time: <10 minutes.
Detection – Queries That Actually Work Today
// 1. Users who have joined external tenants
SigninLogs
| where TimeGenerated > ago(30d)
| where AppDisplayName == "Microsoft Teams" and UserType == "Guest"
| where ResourceTenantId != HomeTenantId
| extend TenantAge_days = datetime_diff('day', now(), todatetime(parse_json(AdditionalDetails).resourceTenantCreationDate ?? now()))
| project TimeGenerated, UserPrincipalName, ResourceDisplayName, ResourceTenantId, TenantAge_days
| order by TimeGenerated desc// 2. Freshly created throw-away tenants (<45 days)
SigninLogs
| where UserType == "Guest" and AppDisplayName == "Microsoft Teams"
| extend TenantAge_days = datetime_diff('day', now(), todatetime(parse_json(AdditionalDetails).resourceTenantCreationDate ?? now()))
| where TenantAge_days < 45
| summarize Users = make_set(UserPrincipalName) by ResourceDisplayName, ResourceTenantId| Query | What it shows you | Why it matters in real life |
|---|---|---|
| Query 1 – “Show me every employee who has recently joined someone else’s Microsoft Teams as a guest” | A list of your people (by email) and exactly which outside company’s Teams they joined, plus how old that outside company’s Microsoft account is | If you see your employees suddenly appearing in a brand-new Microsoft tenant you’ve never heard of → that’s almost certainly an attacker who tricked them into joining a fake Teams room |
| Query 2 – “Show me only the outside Teams accounts that were created in the last 45 days and now have our employees inside them” | A short, scary list of brand-new Microsoft tenants (often just a few days old) that already managed to pull your users in | Criminals love creating fresh Microsoft accounts because they look clean. Anything under ~45 days old that has your users in it is a giant red flag |
| Query 3 (not shown above but often added) – “Show me files or links that arrived in chats but never got scanned by our normal antivirus” | Files/links that completely skipped Microsoft’s Safe Attachments and Safe Links checks | Proof that something landed inside your company without any of the normal protection – exactly what happens once a user is inside the attacker’s Teams |
YARA Rules
rule Teams_Guest_LNK_PowerShell_Payload_Dec2025
{
meta:
description = "Detects LNK files used in Microsoft Teams guest-access attacks – hidden PowerShell with long Base64 payload (Dec 2025 wave)"
date = "2025-12-02"
reference = "Ontinue disclosure (26 Nov 2025) + live red-team samples"
score = 90
strings:
$lnk_header = { 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$powershell = "powershell" ascii wide nocase
$hidden = "-WindowStyle Hidden" ascii wide
$bypass = "-ExecutionPolicy Bypass" ascii wide
$b64 = /[A-Za-z0-9+\/]{180,}={0,2}/
condition:
uint32(0) == 0x0000004C and
$lnk_header and
all of ($powershell, $hidden, $bypass, $b64)
}
rule Teams_Guest_ISO_DLL_Sideloading_Dec2025
{
meta:
description = "Detects ISO/IMG files containing LNK + DLL sideloading payloads used in Teams guest-access attacks (Dec 2025 wave)"
date = "2025-12-02"
reference = "Ontinue disclosure (26 Nov 2025) + live red-team samples"
score = 95
strings:
$iso_magic = { 43 44 30 30 31 } offset 32768 or offset 34816 or offset 36864
$lnk = ".lnk" wide
$lolbin = /version\.dll|mshtml\.dll|werfault\.exe/ wide
condition:
$iso_magic and $lnk and $lolbin
}Recommended Immediate Actions
| Priority | Control | Implementation Details | Expected Impact |
|---|---|---|---|
| Critical | Restrict inbound B2B guest access to trusted tenants only | Entra ID → External Identities → Cross-tenant access settings → Organization-wide default → Inbound access → Block all Add explicit allow rules for verified partner tenants | Eliminates uncontrolled external guest onboarding (recommended primary control) |
| Critical | Disable MC1182004 (“Chat with any email address”) globally | Teams admin center → Messaging policies → Global (Org-wide default) → Users can chat and communicate with any email address → Off or via PowerShell: Set-CsTeamsMessagingPolicy -Identity Global -AllowChatWithAnyone $false | Prevents automatic generation of external guest invitations |
| High | Enforce multifactor authentication for all guest and external users | Conditional Access → New policy → Users → Include → All guest and external users → Access controls → Grant → Require multifactor authentication | Adds authentication barrier even if a guest session is established |
| High | Deploy detection rules and scheduled hunting queries | 1. Import the YARA rules above into Defender for Endpoint, CrowdStrike, SentinelOne, or your sandbox 2. Create scheduled Advanced Hunting alert rules using the KQL queries provided | Provides near-real-time visibility and alerting on active exploitation |
| Medium | Review and clean up existing external guest relationships | Run the provided hunting queries → investigate any external tenants <90 days old or with anomalous activity → remove unnecessary guest accounts | Reduces existing attack surface from prior exposure |