Email is still a major entry point—but it’s no longer the only one that matters. Today’s attackers are increasingly shifting to collaboration channels like Microsoft Teams, where trust is implicit and interaction is real time. Decisions happen fast, and that changes the economics of attacks. Adversaries can pressure users, adapt on the fly, and accelerate their objectives before traditional controls have time to respond. They can then pivot laterally across identities, endpoints, and cloud apps.
And it’s not just chats and shared links anymore. Teams calling has emerged as a high-impact social-engineering path—a “front door” attackers can use to bypass inbox defenses. They can impersonate familiar brands or internal functions. They can also try to extract credentials or persuade a user to take immediate action. In a typical flow, an attacker leverages urgency and context. For example, they may reference an “account issue” following suspicious email activity. They then use the real-time pressure of a call to drive a user toward compromise.
At RSA 2026, we’re announcing new Microsoft Defender capabilities designed for exactly this reality. They give SOC teams visibility that matches how attacks unfold across Microsoft Teams. They also help end users easily identify impersonation attempts, so they can stop them before compromise. And we’re introducing the new Protection and Posture Insights report, which provides tenant-specific insights about your collaboration security with Microsoft Defender.
Protect your organization from voice-based attacks in Microsoft Teams
Voice phishing (vishing) is a fast-growing vector because it lets attackers bypass message-based filters and manipulate targets in real time. But security teams haven’t had the same level of coverage for Teams calls that they’ve come to expect for email and messages. That’s why we’re excited to bring inline protection and SOC- investigation capabilities to the Teams calling experience. Defenders can stop the interaction while it’s happening and investigate the full path after the fact.
Hunt and remediate suspicious calls
When attackers use Teams calls to impersonate a brand, internal IT, or a trusted organization, security teams need more than anecdotal user reports—they need forensic visibility and the ability to act. Microsoft Defender has turned Teams calling from a blind spot into a first-class SOC signal, so you can now:
Investigate Teams calling activity at scale through Advanced hunting. Use new call-focused data to identify suspicious patterns and validate risk across the organization. This includes unusual external callers, first-time contacts, or activity that aligns with brand impersonation patterns.
- Pivot directly into a call’s details using a call entity experience. Analysts can quickly understand what happened and who was involved, without stitching together context across multiple tools.
- Take mitigation actions inline by blocking malicious domains or addresses in Teams via the Tenant Allow/Block List. This turns investigation into immediate containment and helps prevent repeat attempts.
- Close the loop with end-user reporting. Pair what users flag as a security risk with what analysts can hunt and confirm. The SOC can move faster and reduce ambiguity when seconds matter.
Stop impersonation in real time
While insights are critical, the most effective way to reduce vishing impact is to interrupt social engineering while the user is still deciding what to do.
Now, when a Teams call appears to be impersonating a known organization or trusted entity, users will see a persistent in-call warning banner. It shows during the incoming-call experience and while on the call. That gives users clear, contextual guidance before they comply with attacker instructions. It also extends the same protection approach used for chat impersonation into the calling surface.
Figure 3: Teams call real-time notification informing the user that the call is suspicious.And because improving protection depends on learning from real interactions, users can also provide feedback by reporting a call as not a security risk to help improve the accuracy of warnings over time.
That makes Defender the only collaboration security tool that provides inline user feedback – in real-time.
Turn Defender telemetry into executive-ready security understanding with the Protection & Posture Insights report
To help organizations clearly understand the threats targeting their environment and how Defender is helping protect against them, we are introducing the Protection & Posture Insights report. It is available directly in the Defender portal and built on tenant-specific telemetry. The report provides a customized view of the spam, phishing, and malware campaigns observed against users—showing how attackers are attempting to gain access, what techniques are being used, who is being targeted, and where risk is concentrated across the environment.
The Protection & Posture Insights report goes beyond surface-level threat counts to highlight patterns and exposure unique to each tenant, including emerging phishing techniques, malware delivery methods, and zero-day threats identified through detonation analysis. It also shows how these threats are handled across delivery locations—such as inbox, junk, and quarantine—and which detection technologies and policies are engaged, giving teams a clearer understanding of how attackers are interacting with their environment.
In addition to threat visibility, the report delivers personalized insights and targeted security policy recommendations based on each customer’s configuration and observed threat activity. By surfacing coverage gaps, priority account targeting, and opportunities to strengthen policy enforcement, teams can take focused action to reduce exposure and improve security posture. With consistent, tenant-specific reporting over time, organizations can validate results, track progress, and share credible, executive-ready security outcomes—without manual data assembly.
Figure 4: Executive summary of the new Protection & Posture Insights reportThis kind of personalized visibility answers the most important question for any security team: what was stopped in my environment, and why. It’s also helpful to pair those tenant-specific insights with an objective, industry-wide view. That’s why we publish official email security performance benchmarking. We use consistent, real-world measurements of detection and efficacy across phishing, malware, and spam. That way, you can compare Microsoft Defender against other secure email gateway (SEG) and integrated cloud email security (ICES) solutions. For a deeper look at what the latest results reveal, check out From transparency to action: What the latest Microsoft email security benchmark reveals.
These new Microsoft Defender capabilities close a critical gap in collaboration security. They help customers interrupt Teams call–based social engineering. They also give the SOC actionable call visibility and faster containment to prevent repeat attempts. Combined with the Protection & Posture Insights report, security teams can more easily report what was stopped in their tenant. They can also prioritize the next control improvements and strengthen end‑to‑end SOC outcomes across email and Teams.
Visit Us at RSA 2026
Join us at the Microsoft booth at the Moscone Center to see these innovations in action!
More information:
- Learn more about Defender for Office 365
- Find out how to protect your organization against multi-modal attacks
- Check out our recent blog: Disrupting threats targeting Microsoft Teams
Microsoft