A newly highlighted flaw in Microsoft’s cross-tenant collaboration mannequin reveals that after a person accepts a visitor invitation in Groups, their Defender for Workplace 365 protections are dropped solely, leaving them uncovered inside an exterior tenant even whereas logged in with their residence account.
In accordance with Ontinue risk researcher Rhys Downing, certainly one of Microsoft’s just lately enabled options, “MC1182004,” that enables Groups customers to provoke chats with any e mail deal with, opens an assault vector for risk actors who know cross-tenant security limitations.
“Many organizations assume their controls ‘observe’ the person wherever they go,” stated Julian Brownlow Davies, senior vice chairman, offensive security technique & operations at Bugcrowd. “In actuality, attackers can spin up a poorly secured tenant, invite your customers in with what appears to be like like a superbly reliable Microsoft Groups e mail, and ship hyperlinks and information that by no means contact your individual Defender stack in any respect.”
