Security researchers have found a bug that could allow attackers to deliver malware directly into employees' Microsoft Teams inbox.