Cybersecurity News in Asia

Features
- Featured
  
  Moving away from reactive cybersecurity to preemptive, continuous AI-powered cyber vigilance
  
  Monday, January 12, 2026, 10:01 AM Asia/Singapore | Features, Newsletter
- Featured
  
  Leveraging digital twins to combat rising AI-powered threats
  
  Thursday, January 8, 2026, 1:58 PM Asia/Singapore | Features
- Featured
  
  Editor's pick: Cybersecurity trends in 2026
  
  Wednesday, January 7, 2026, 10:36 AM Asia/Singapore | Cyberthreat Landscape, Features, Newsletter
Opinions
Tips
Whitepapers
Awards 2025
Directory
E-Learning

Beware of new phishing attack vector coming your way

By CybersecAsia editors | Tuesday, November 11, 2025, 8:30 AM Asia/Singapore

Anyone could soon target you for a chat session, using a new feature enabled by default in a popular collaboration tool.

While the world tries to plug every loophole and risk that could expose people to phishing attacks, one software giant is toying with just the opposite.

In a feature expected to roll out starting November 2025, users of Microsoft Teams will be able to initiate chats with anyone just by supplying an email address, without requiring the recipient to be a Teams user.

This update, aimed at enhancing seamless collaboration across platforms such as Android, desktop, iOS, Linux, and Mac, allows external guest users to join conversations via email invites under Microsoft Entra B2B Guest policies. While it aims to improve flexibility in communication, cybersecurity experts have raised alarms about significant security risks associated with the default-enabled setting.

The primary concern is the increased attack surface:

By allowing external email-based chat initiations without prior validation or vetting, the feature opens avenues for phishing attacks and malware distribution. Malicious actors could send spoofed chat invites posing as trusted contacts or business partners, tricking employees into clicking harmful links, sharing credentials, or unknowingly exposing proprietary information.
This vector is likened to OAuth phishing campaigns, which rely heavily on impersonation to harvest sensitive data. The risks are compounded because file exchanges within Teams may bypass traditional email security filters, raising the threat of ransomware or spyware infiltrations.
Microsoft advises organizations to update internal policies and train staff on the new functionality. Administrators can mitigate risks by disabling the feature through PowerShell, using the TeamsMessagingPolicy attribute ‘UseB2BInvitesToAddExternalUsers’ set to false, thus restricting chats to vetted external users only.

Experts recommend additional security measures such as enforcing multi-factor authentication, conducting regular audits, and running comprehensive phishing awareness training.

Overall, while the new Teams feature offers improved external communication capabilities, the illogical choice to enable it by default will place the onus of security and privacy vigilance on users.