Microsoft’s drive to make external collaboration in Teams nearly effortless has created a gap most security teams aren’t watching. New research from Ontinue shows that when users move into another organization’s tenant—even for something as simple as a chat—they aren’t bringing their own protections with them but rather stepping into whatever security posture the host has in place. It’s an architectural quirk that attackers can now turn into an entry point, especially as Microsoft rolls out features that make cross-tenant interaction easier than ever.
Microsoft has been steering its cloud ecosystem toward easier cross-tenant work for years. The company wants Teams, Azure AD, and the broader Microsoft 365 stack to feel borderless, whether users are working with vendors, partners, or customers. Each cycle brings another refinement meant to reduce the friction that normally slows external collaboration.
The next big step in that direction landed in November with the MC1182004 update. Now, any Teams user can start a chat with any email address, and the feature is on by default. If the recipient accepts the invitation, the connection forms instantly, and the conversation moves forward as if both parties were in the same ecosystem. That change sits at the center of Ontinue’s findings.
Now Entering the “Protection-Free Zone”
Because protections like Safe Links, Safe Attachments, malware scanning, and zero-hour auto-purge don’t carry over into external tenants, attackers can take advantage of the gap. They can spin up their own Microsoft 365 tenants using low-cost plans that ship with minimal protections or disable the defaults outright. Once a victim accepts the guest invite, the attacker can deliver links or files without the filtering the victim’s organization expects. Ontinue says this creates a “protection-free zone” that can be used to execute phishing campaigns inside what appears to be a legitimate Microsoft Teams conversation.
This dynamic effectively changes the threat model. Attackers no longer need a relationship with the target or a prior exchange to gain a foothold. They can generate thousands of invitations at scale, each one a doorway into an attacker-controlled tenant.
On the user side, nothing feels suspicious. The UX is smooth, familiar, and branded. A Teams invitation looks like routine business, and most people have been trained to treat Teams as a safer channel than email. Accepting the invite feels like clicking “Join meeting,” not stepping into a different security environment. The risk is compounded by the fact that most organizations leave cross-tenant settings wide open to avoid disrupting collaboration, which means invitations from almost any external tenant go largely unchecked.
“Much of the risk now lives in the connectivity between tenants, identity systems, and collaboration tools, rather than in the individual apps themselves,” saidJulian Brownlow Davies, Senior Vice President, Offensive Security Strategy & Operations at Bugcrowd. “You cannot solely tune your own Microsoft 365 policies and hope for the best. You have to assume that attackers will abuse ‘legitimate’ collaboration features and design your controls, testing, and monitoring around that reality.”
What Security Teams Can Do Now
The mechanics of cross-tenant collaboration aren’t changing anytime soon, so the response has to start with policy. Most organizations allow guest invitations from anywhere. That needs a second look. Locking access to vetted partners or requiring approval for unknown tenants cuts down the attack surface immediately.
Azure AD / Entra ID logs also become more important. Anomalous guest activity—new tenants appearing out of nowhere, repeated invitations from the same unknown domain—should stand out. These patterns are often the first sign someone is using Teams invites as a lure.
User education has to fill the gap Microsoft’s interface doesn’t explain. Employees need to know when they’ve crossed into another tenant, what protections disappear in that space, and why a Teams invitation should be treated the same way they treat a suspicious email.
Some organizations go further and bring in identity-aware defenses that watch behavior across tenant boundaries. Tools in that category can spot unusual cross-tenant movement or highlight risky external environments before someone walks into them. They don’t replace policy, but they give teams more visibility in a part of the ecosystem that tends to stay in the shadows.
The Road Ahead: Collaboration Growth vs. Security Reality
Microsoft isn’t slowing down on cross-tenant collaboration. The trend line is clear: fewer barriers, more seamless interactions, and a user experience that makes external conversations feel as natural as internal ones. Ontinue’s research highlights the trade-off that comes with that direction. Every step toward frictionless collaboration opens more space where security teams have little influence and even less visibility.
What’s missing today is a way to see and judge the tenants users are stepping into. Organizations need clearer signals about the security posture of external environments—something like a trust score that reflects how those tenants are configured. They also need controls that travel with the user instead of stopping at the tenant boundary. Without those, attackers will keep exploiting the gap.
Until that ecosystem matures, guest access has to be treated as a high-risk activity. Every invitation is an entry into an environment the organization doesn’t control. Security teams can tighten policies and educate users, but the underlying architecture remains the same. The safest assumption for now is simple: if it’s an external tenant, protections are limited, and the stakes are higher.
“Ontinue’s research is a reminder that modern collaboration spans security boundaries, and planning for that movement is essential.” said Shane Barney, Chief Information Security Officer at Keeper Security. “With the right controls in place, the risks created by operating in an external tenant can be contained before they lead to more serious consequences.”
