An upcoming update will let users chat with anyone using just an email address, prompting concerns over phishing and malware risks.
According to Cyber Security News, Microsoft is rolling out a new “Chat with Anyone” feature for Teams that allows users to start a conversation with any external email address, even if the recipient is not a Teams user. The update is already reaching targeted users as of November 2025 and is expected to roll out globally by January 2026.
Once invited, recipients join the chat as guest users via their email, making the experience seamless across platforms like Android, iOS, desktop, and Linux. While designed for flexibility and ease of communication, the feature introduces new attack surfaces for threat actors.
The core risk stems from how easily attackers can mimic legitimate chat invites. Since email addresses are the only requirement, a malicious actor could send spoofed chat requests that appear to come from trusted business contacts. Clicking these could lead to credential theft, malware infections, or ransomware attacks, all within the Teams environment.
Security experts liken the risk to previous OAuth phishing tactics, where attackers impersonated platforms to gain trust and extract data. Teams’ guest chat operates under Entra B2B Guest policies but still resides within the organization's communication space, which means unsuspecting employees might unknowingly disclose proprietary data or violate regulations like GDPR.
Another concern is malware propagation: files shared in these chats bypass traditional email gateways, meaning infected attachments can be shared inside Teams without triggering standard filtering tools.
Microsoft has confirmed that the update affects all Teams users and encourages organizations to revise internal documentation and educate support teams. However, because the feature is enabled by default, companies may not realize the change until after an incident occurs.
The company recommends administrators use PowerShell to disable external email-based chat by modifying the UseB2BInvitesToAddExternalUsers attribute within TeamsMessagingPolicy. This restricts guest invites to pre-approved B2B users only. Security professionals also advise pairing this with MFA enforcement, routine policy audits, and ongoing staff training to reduce phishing success rates.
Microsoft’s new Teams feature proves how usability improvements can inadvertently weaken organizational security. Allowing external users to chat through email-based invitations introduces risks that go beyond traditional phishing, malware delivery, credential theft, and unauthorized data sharing, all become more plausible within trusted collaboration ecosystems. Because the feature is enabled by default, companies that fail to review and adjust their security policies may not notice the exposure until after an incident.
Alongside Microsoft’s recommended administrative controls, organizations can strengthen their defenses with Paubox Inbound Email Security. Its generative AI analyzes tone, intent, and relationship context to detect phishing attempts and social engineering that might originate from or extend beyond standard email channels. Used in tandem, these measures help reduce the likelihood that external communication exploits will slip through conventional safeguards.
Yes. Since interactions occur within Teams, traditional email filters are bypassed, allowing malware to be shared as chat attachments without triggering standard email protections.
A B2B user is an external contact authenticated and managed via Azure AD, while a guest added via email may not go through the same validation process, depending on policy settings.