Security Risks of B2B Guest Users in Azure

Critical Alert for Microsoft Teams Users: A New Guest Chat Vulnerability Bypass. A newly disclosed flaw in Microsoft Teams' B2B guest access allows threat actors to bypass Defender for Office 365 protections, turning chats into malware traps. - The Exploit: Following the November 25 update, anyone can invite external users (even via email) as guests by default. Once you're in their "resource tenant," your home org's policies, such as Safe Links and Attachments, will be ignored. Attackers spin up cheap trial tenants, drop unchecked phishing links/files, and watch for incoming connections. - Real Risks: Low barrier for bad guys: A bare-bones tenant and an invite. Quick fixes in the article.  For Detection & Response: - Visibility: Implement 5-10 SIEM alerts to monitor for related and future scenarios. - Assurance: Conduct a retrospective hunt over the last 90 days to identify any potential prior compromise.

Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say. Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. The issue is that guest users invited into an organization’s Azure tenant can create and transfer subscriptions inside that tenant without having any direct admin privileges there. Once they do, they gain “Owner” rights over that subscription, opening up a surprising set of attack opportunities that many Azure administrators might never have considered. BeyondTrust researchers demonstrated how an attacker could exploit this issue in practice. An attacker could start by setting up their own Azure tenant using a free trial, which automatically gives them billing authority. Microsoft has stated that this is intended behaviour, meant to support complex multi-tenant setups where guests sometimes need to create resources. They provide subscription policies that can block these transfers, but these controls are off by default. For cybersecurity teams, this means the risk remains active until they take clear action. BeyondTrust recommends several key steps to reduce exposure including enabling subscription policies that block guest-led transfers, regularly auditing guest accounts and removing any that are unused or unnecessary... [Source in the comments section]

Monday morning cyber coffee read CCTR.24.JUN.25. ☕️ 📌A coordinated insider threat at Coinbase, one of the world’s largest #cryptocurrency exchanges, has led to a data breach affecting nearly 70,000 customers, after bribed contractors in India 🇮🇳 exfiltrated sensitive information from the company’s outsourced support operations. 👉The attackers demanded a $20 million ransom, which Coinbase refused, offering instead a $20 million bounty for information leading to arrests. ⚠️The leaked data poses a high risk of phishing and impersonation scams. ✅Organisations using outsourced support services must reassess insider threat controls. ✅Customers should remain vigilant for fraud attempts impersonating Coinbase. https://lnkd.in/gSiA3_iJ 📌Turnout that Microsoft Entra ID guest accounts can be abused to create their own Microsoft Azure subscriptions in external tenants, even with limited privileges by exploiting overlooked billing permissions. 👉This allows external guests to create subscriptions within your tenant without administrator awareness, enabling stealthy access, persistence, and potential lateral movement for threat actors. The threat often goes undetected due to gaps in Azure threat modelling. ⚠️Organisations leveraging Entra ID B2B guest access without robust policies and governance are particularly vulnerable. ✅Now is the time to reassess guest access controls, review subscription governance, audit guest activity and restrict billing-related permissions to prevent abuse. https://lnkd.in/g4wbHtwy 📌Residential proxies have become a core enabler of cybercrime, surpassing traditional bulletproof hosting by providing attackers with vast, home user like IP pools that easily bypass geo-blocking, anti-fraud systems and IP based defences. 👉Cybercriminals are increasingly leveraging compromised #IoT and compromised mobile devices to build modular proxy networks capable of running credential stuffing, data scraping and fraud operations directly from infected endpoints. ✅Organisations should move beyond IP blocklists and adopt session-level / fingerprint-based detection to identify malicious activity in real time. https://lnkd.in/grxA6eVv

🔐 Tip for Entra ID admins: Be aware of the limitations of Microsoft Entra ID Protection for B2B collaboration users Because guest accounts live in their home directory, your resource tenant can’t fully manage their risk status. This leads to some important limitations: ⚠️ If a guest triggers a user risk policy requiring a password reset, they’ll be blocked since your tenant can’t reset their password. 🚫 Guest users don’t appear in the “risky users” report ❌ Admins can’t dismiss or remediate risky B2B users in the resource directory. These behaviors are by design and explained in Microsoft’s documentation 👉 https://lnkd.in/ekcqaj6Z 💡 Tip: When protecting guest accounts, use sign-in risk based Conditional Access policies instead of user risk based ones, and align your external collaboration model accordingly. #EntraID #MicrosoftSecurity #IdentityProtection #B2B #ConditionalAccess #ZeroTrust #Intune Secure At Work

🔐 Guest Users in Entra ID Can See More Than You Think—Let’s Fix That! 🚀 Did you know that by default, guest users in Entra ID can enumerate groups and search for other users? This could be a goldmine for attackers or malicious users, making it easier for them to identify targets for phishing or privilege escalation. The good news? You can lock this down in under two minutes! ⏳ In my new video series #TwoMinuteTuesdays, I walk you through a simple but crucial Entra ID setting that restricts guest user access, preventing them from seeing any group memberships—even their own! A quick configuration change can significantly reduce your organisation’s exposure and improve security. 📺 Watch now and secure your tenant: https://lnkd.in/e2cBwk8b ✅ Like, Share & Subscribe if you found this helpful 💬 Comment if you have other quick security wins to share! #Microsoft365 #EntraID #CyberSecurity #ITSecurity #AzureAD #MicrosoftSecurity #GuestUserAccess