The rapid digital transformation of workplaces worldwide has not only expanded collaboration opportunities but has also introduced new attack surfaces that cybercriminals are eager to exploit. Microsoft Teams, with over 320 million users, has emerged as a cornerstone of enterprise productivity. However, this increased adoption has also made it an appealing target for cyber threats. Adversaries have started exploiting Microsoft Teams for sophisticated attacks including impersonation and delivery of malicious payloads. Our research teams have observed threat actors Storm 1811 and Storm 1674 orchestrating campaigns on Microsoft Teams.
That’s why today we’re excited to announce the General Availability of collaboration security for Microsoft Teams. This new enhancement in Microsoft Defender for Office 365 helps protect against phishing, malware, and advanced attacks for Teams users, thanks to a robust set of protection capabilities and security workflows. Some of these features have been in public preview, and we are now introducing new capabilities to ensure users can fully leverage these enhanced features. Collaboration security for Microsoft Teams is designed to address the rise of new sophisticated attacks targeting Teams with end-to-end features including:
- Improved Teams security posture with increased control over how external organizations communicate with employees
- Better in-line client protection for end users from malicious links or attachments
- Easy reporting of suspicious messages to admins and Microsoft
- Threat hunting and response capabilities
Improved Teams security posture with increased control over how external organizations communicate with employees
Teams provide a wide range of federation controls that enable organizations to determine how they collaborate—with the new upcoming granular federation policies that give security teams more control. Security teams can dictate which tenants, domains, and users can communicate with their organization. There are also granular controls over how admins allow their organizations to communicate with trial tenants and added protection with new OTP authentication options for securing meetings. Security admins can also bolster their organization’s secure posture with Teams recommended actions within Exposure Management, which helps assess an organization’s current security posture, identify potential improvements, and take actions to enhance overall security.
Now Better in-line client protection for end users from malicious links or attachments
Defender for Office 365 utilizes advanced threat intelligence and machine learning to detect and block malicious content in Microsoft Teams. It continuously monitors and scans URLs and files shared within Teams chats, protecting end-users from malicious links directly in-line in the teams client and at time-of-click where they collaborate.
Phishing attacks often rely on deceptively benign links that lure users into divulging sensitive information. By intercepting these threats before they can reach users in your organization, inline protection in the teams client not only reduces the risk of data breaches but also prevents potential disruption that can lead to costly downtime. When an employee receives a link in a Microsoft Teams conversation, our inline protection immediately evaluates it. If the link is determined to be malicious, it is promptly removed, effectively neutralizing potential phishing attempts while providing an uninterrupted end-user experience. We take a much more proactive approach compared to other solutions, which merely display in-line tips, instead of taking immediate action.
Suspicious files and URLs are automatically executed in a secure, isolated environment—a sandbox—to determine if they exhibit any malicious behavior. This process, known as real-time detonation, ensures that harmful content is identified and neutralized before end-users can access it. In addition, we apply time-of-click protection for every URL, evaluating links when they are clicked by end-users, offering an additional layer of protection across Microsoft Teams clients on the web, desktop, and mobile. And for security teams, any clicks on URLs in Microsoft Teams are available for investigation, hunting, and response via our hunting tools and APIs (like Threat Explorer and Advanced Hunting).
In addition to links, attachments are prime vectors for malware and ransomware. Detonating these files in real-time prevents harmful content from entering your production environment. For security teams, this means fewer incidents to manage, reduced remediation times, and enhanced business continuity. For example, if a file shared in a Teams chat is flagged as potentially dangerous, it is safely isolated, ensuring your organization and users remains protected.
Our integrated quarantine management experience empowers security teams to efficiently triage and investigate flagged Teams messages with the ability to review message details and preview message content. This balance between seamless collaboration and robust security, supported by inline URL protection and integrated quarantine management, helps ensure security without disrupting communication, enabling your users to stay productive while keeping threats at bay.
Easy reporting of suspicious messages to admins and Microsoft
Organizations today drive employee resilience through security awareness and education. And a key component of these programs is to help people identify and report suspicious events. When employees see suspicious messages in Microsoft Teams—including those from external user can now help secure the organization by easily reporting them to their security teams and Microsoft, thanks to our seamless integration with the broader Microsoft XDR portfolio. Security teams can control where submissions are sent, including sending them to Microsoft for learning and feedback, with similar workflows and configurations across Teams and email. This proactive reporting mechanism not only bolsters your organization’s defenses but drives a security first culture that helps detect and respond to potential threats faster. External reporting broadly available following Secure 2025, details in the documentation section.
Threat hunting and response capabilities across Teams messages
At the end of May 2024, Microsoft observed Storm-1811 conducting multimodal social engineering attacks by leveraging Microsoft Teams alongside email-based threats. Attackers used tactics like “email bombing” and fraudulent tenants, followed by Teams messages impersonating help desk personnel with deceptive display names like “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support.” Microsoft swiftly disrupted these attacks, in part due to full integration alongside XDR capabilities, which suspended identified malicious accounts and fraudulent tenants. Additionally, our purpose-built research driven threat detection technology continues to proactively identify and mitigate emerging threats by analyzing anomalous user agents and usernames, recognizing suspicious file hosting URLs, and detecting irregular activities, especially those involving external users. Microsoft Threat Intelligence supports security teams by surfacing correlated alerts and recommended mitigation strategies within our unified SOC platform including alerts about:
- Use of automation tools in phishing attacks,
- Messages originating from suspicious tenants,
- Interactions with potentially compromised users, and
- Interactions with potentially malicious external users.
SOC investigation with Advanced Hunting
While automated capabilities and features are effective, advanced hunting is also just as important to keep organizations secure. By providing deep visibility into granular security data, advanced hunting empowers security teams to identify subtle patterns and anomalies, enabling early intervention before threats can develop into full-blown security incidents. To further enhance this capability, we are extending the rich and contextual threat hunting capabilities that Microsoft Defender for Office 365 provides with the introduction of three dedicated advanced hunting tables including: MessageEvents, MessageUrlInfo, MessagePostDeliveryEvents. Security teams can now gain comprehensive insights into Teams messages containing URLs. With detailed, real-time data at their fingertips, your security teams can swiftly follow up on potential threats, fortifying your organization’s capacity to counter new and emerging threats. This includes the ability to correlate any threats across Teams and email messages to address any cross-modal attacks. Broadly available following Secure 2025, details in the documentation section.
Stay secure while collaborating with confidence
The new capabilities for Microsoft Teams help ensure your organization can approach collaboration security comprehensively, by combining advanced threat detection, improved end-user experience, and tools for more efficient SecOps management. By extending the power of Defender for Office 365 beyond email to include Teams, organizations can build a more resilient security strategy that safeguards all communication channels, while also improving operational efficiency through simplified security administration and XDR. With automated threat remediation, precise policy enforcement, and real-time user alerts, organizations can mitigate risks without affecting productivity. Furthermore, by embedding security directly into collaboration workflows, organizations can empower their teams to work confidently, focus on what’s most impactful, and maintain productivity in a secure digital environment.
Learn More
- Visit our website to learn more about Microsoft Defender for Office 365
- Ready to get started with collaboration security? Check out our documentation.
- To enable threat detections for Teams security, enable the Microsoft 365 connector.
- Not using Defender for Office 365, yet? Start a free trial.
- Want to know more about Microsoft’s XDR solution? Start here.
Microsoft
