Microsoft Teams’ New “Chat with Anyone” Feature, Great Idea, Terrible Timing.
Microsoft Teams’ new “Chat with Anyone” feature could expose businesses to phishing risks. Here’s how to secure your organisation before it launches.
So, Microsoft’s at it again, this time with a new Teams feature called “Chat with Anyone.”
On the surface, it sounds handy - you’ll be able to send a Teams message to any email address, even if the person isn’t part of your organisation or doesn’t have Teams.
In theory, that’s all about “breaking down barriers” and “making collaboration easier.” but in reality? It’s also about breaking down your phishing defences.
Here’s what’s actually happening
From November 2025, Microsoft’s rolling this out in stages and by early 2026, it’ll be live globally. Once it’s switched on, anyone can type your email into Teams, hit send, and boom - you get an invite to chat.
No mutual connection. No verification. No real safety net.
It works across desktop, mobile, web, the lot and that’s the problem.
Why this is such a bad idea
Phishing used to mostly live in your inbox. You’d get a dodgy-looking email pretending to be from “Microsoft Support” or “Accounts Payable” and (hopefully) ignore it. But now, attackers can send you a Teams invite that looks totally legit.
Imagine getting a message from someone claiming to be a supplier or client you work with. They’ve got a convincing name and a business-style chat request. You click it. You start talking. Maybe you even share a file.
That’s all an attacker needs to start doing real damage and none of it passes through your normal email filters or spam defences.
It’s basically giving cybercriminals a brand-new door to knock on… and some people will definitely open it.
Microsoft says it’s “safe”
Microsoft’s official line is that these chats are still governed by Entra B2B guest policies, meaning they’re technically within your organisation’s controls. That’s nice on paper but in the real world, mistakes happen.
People misread names. They trust a familiar logo. They share things they shouldn’t and once data’s out, it’s out.
If your business runs in a hybrid setup or your team regularly talks to clients, freelancers, or suppliers, this is a perfect storm for a phishing mess.
What you should do, before this quietly lands
Here’s what I’d recommend:
- Check your Teams external access settings.
Head into the Microsoft 365 admin centre and see if you can restrict or disable “Chat with Anyone” for now. Don’t assume Microsoft left it off by default, they usually don’t. - Warn your team.
Even a quick message on Slack, Teams, or email saying “Hey, be careful, random Teams invites might not be genuine” can save you a major headache later. - Review your conditional access and MFA.
Enforce device compliance and MFA for all external chat sessions. It won’t stop phishing invites, but it can limit damage. - Keep an eye on Teams activity logs.
Set up alerts for unusual external chat activity. A bit of proactive monitoring goes a long way. - Make security awareness normal, not scary.
Your team shouldn’t feel like they’re walking on eggshells, just remind them that it’s okay to be suspicious and double-check things.
Microsoft’s trying to make collaboration effortless. The problem is effortless collaboration also means effortless compromise.
So before this feature quietly appears in your organisation, take a few minutes to review your settings and tell your team what’s coming. You don’t want the first time you hear about it to be when someone says, “Hey, did you really message me asking for a payment update on Teams?”
Because if you didn’t… someone else probably did.
Ashley Adkins, Founder @ Adkinsio | Helping Business Work Smarter