Teams Is the New Attack Surface Nobody Is Securing
Microsoft Teams has become the default communication hub for millions of organizations. But while email security gets all the attention, Teams security is largely overlooked. The default settings prioritize ease of collaboration over security, which creates risks that most admins do not realize exist.
Attackers know this. Phishing via Teams messages, malicious file sharing through channels, and exploiting overly permissive guest access are all active attack vectors in 2026.
Guest Access: The Open Door You Forgot About
Teams guest access lets external users join your teams, access channels, chat, and share files. It is incredibly useful for collaboration — and incredibly risky when misconfigured.
What to audit:
- Is guest access enabled at the org level? If so, who can invite guests?
- Can guests create, update, or delete channels?
- Can guests access files in SharePoint sites connected to teams?
- Are there guest users from months or years ago who still have access?
- Can guests see the membership of other teams?
Recommended settings:
- Limit guest invitations to team owners (not all members)
- Disable guest ability to create or delete channels
- Set guest access expiration through Azure AD access reviews (90-day review cycle)
- Restrict guest access to specific teams rather than allowing org-wide guest permissions
- Block guests from discovering other teams and channels
Third-Party App Permissions Are a Blind Spot
Teams supports a rich app ecosystem — bots, connectors, tabs, and messaging extensions. Each of these can request permissions to read messages, access files, or interact with other M365 services.
Risks to address:
- Users installing unvetted third-party apps that request broad permissions
- Connectors that send data to external services
- Bots with access to channel messages and files
- Custom apps deployed without security review
Recommended app governance:
- Set the org-wide app permission policy to block all third-party apps by default
- Create an allow list of vetted and approved apps
- Review which apps are currently installed across all teams
- Restrict who can install custom apps (limit to IT admins)
- Regularly audit app permissions and connected services
Meeting Security Settings
Teams meetings are where sensitive business conversations happen. The default settings may expose more than you intend.
Key meeting settings to review:
- Lobby settings: Require all external participants (and optionally anonymous users) to wait in the lobby. Do not let anonymous users bypass the lobby.
- Presenter roles: Set the default presenter role to “Only organizers and co-organizers” for sensitive meetings. The “Everyone” default lets any participant share their screen or take control.
- Recording permissions: Decide who can record meetings and where recordings are stored. Ensure recordings containing sensitive discussions are stored in appropriate SharePoint locations with access controls.
- External participant access: Determine whether users from other M365 organizations can join meetings, and whether anonymous (non-authenticated) users can join.
- Chat in meetings: For sensitive meetings, consider disabling meeting chat or restricting it to in-meeting only (no persistent chat history).
Channel and Team Creation Governance
When any user can create teams and channels, you end up with sprawl: hundreds of abandoned teams, duplicated channels, and inconsistent naming that makes governance impossible.
Governance recommendations:
- Restrict team creation to a specific security group (IT, team leads, or department heads)
- Implement a naming convention policy (e.g., “DEPT - Team Name”)
- Set team expiration policies (inactive teams expire after 180 days with owner notification)
- Create an approval workflow for new team requests
- Regularly audit and archive inactive teams
Communication Compliance and DLP
Teams messages can contain sensitive information — credit card numbers, health records, confidential business data. Without policies in place, this content flows freely through channels and chats.
Policies to implement:
- Extend DLP policies to cover Teams chat and channel messages (not just email and SharePoint)
- Create communication compliance policies to detect inappropriate content or policy violations
- Configure information barriers if your organization requires them (e.g., separating research and trading teams in financial services)
- Enable sensitivity labels for teams to automatically apply security settings based on the team’s classification
Monitoring Teams Activity
Teams activity should be part of your security monitoring, not just your email and file monitoring.
What to monitor:
- New guest additions to teams
- Third-party app installations
- Large file uploads or downloads via Teams
- External sharing from Teams-connected SharePoint sites
- Changes to Teams policies and settings
Include Teams in Your Security Assessments
Most security audits focus on identity and email. Teams is often an afterthought, which is exactly why it is where risks hide.
365 Security Assessment includes Teams security configuration in its comprehensive M365 audit, checking guest access settings, app permissions, meeting policies, and channel governance as part of its 12,000+ data point analysis.
Run your free assessment and see what your Teams security posture really looks like.