A newly highlighted flaw in Microsoft’s cross-tenant collaboration mannequin reveals that after a person accepts a visitor invitation in Groups, their Defender for Workplace 365 protections are dropped totally, leaving them uncovered inside an exterior tenant even whereas logged in with their house account.
In response to Ontinue menace researcher Rhys Downing, one in all Microsoft’s not too long ago enabled options, “MC1182004,” that enables Groups customers to provoke chats with any e mail handle, opens an assault vector for menace actors who know cross-tenant safety limitations.
“Many organizations assume their controls ‘comply with’ the person wherever they go,” stated Julian Brownlow Davies, senior vp, offensive safety technique & operations at Bugcrowd. “In actuality, attackers can spin up a poorly secured tenant, invite your customers in with what seems to be like a wonderfully professional Microsoft Groups e mail, and ship hyperlinks and recordsdata that by no means contact your individual Defender stack in any respect.”
