Safeguarding Microsoft Teams with Microsoft Defender for Office 365

As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. 

As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps.

See something, say something: Reporting suspicious messages in Microsoft Teams 

Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal.

Why this matters:

• Speed to signal: Catch threats at the conversation layer, not just in email. 

• Complete context: Original message, participants, URLs, and verdicts in one place. 

• Habit-forming: A simple, repeatable action employees remember under pressure. 

How to report (desktop, web, and mobile) 

In Desktop/Web 

1. 1. Hover the message → … More options → Report this message 
      
   2. Select Security concern → (optional) add a short note → Report 

In Mobile (iOS/Android) app 

1. 1. Long-press the message → Report message
   2. Select Security concern → (optional) add a short note → Report 

*Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster. 

Where reports go (for security teams)

In the Microsoft Defender portal, navigate to: 
Investigation & response → Actions and submissions → Submissions → User reported. 
Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators. 

Quick setup check 

• • Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams.
  • Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5). 

What good looks like (mini playbook) 

1. User reports the message.
2. Security triages the submission and captures the URL/domain and other indicators.
3. Block or allow as appropriate via the Tenant Allow/Block List (TABL).
4. Hunt for related activity or clicks (see Video 3).
5. Close the loop: thank the reporter and share the outcome to reinforce the behavior. 

Common gotchas

• Reporting is disabled in the Teams messaging policy – verify before rollout.
• Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender. 

Call to action: Enable reporting for your users and add this line to your awareness site: 
“If it feels phishy, report – don’t click.” 

 

Think before you click - Safe Links catches threats at click-time 

Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant. 

Why this matters 

• Prevents delayed redirects: Avoids “clean-at-send” methods.
• Consistent protection in Teams: Familiar warning UX reduces risky clicks.
• Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required. 

What you’ll see in the video 

1. Policy check (Teams in scope) 
   • Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy.
2. Warning page at click-time
   • Post a benign test URL in Teams and click it to show the Safe Links warning experience. 
3. Block it as you spot it (Allow/Block)
   • Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL).
   • Re-click in Teams – now blocked at click-time.
4. Optional telemetry (Advanced Hunting)
   • Confirm outcomes and adoption: 

UrlClickEvents 

| where Timestamp > ago(24h) and Workload == "Teams" 

| summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType 

| order by Clicks desc 

Deployment tips 

• Start with a pilot group that includes IT + power users; expand after validation.
• Create a review cadence for TABL (e.g., monthly) and expire temporary blocks. 

Troubleshooting 

• No warning page? Verify policy scope includes the user and the Teams workload.
• Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern. 

“Hunt the chat”: Advanced hunting for Teams threats 

Overview 
With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly. 

New: message warnings for malicious URLs (internal and external) 

Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings. 

See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984  

The four tables you’ll use 

• MessageEvents – delivery context (sender, thread, internal vs. external). 

• MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP. 

• MessageUrlInfo – URLs extracted from Teams messages. 

• UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams. 

What you’ll learn in the video 

• Surface active external domains in your tenant’s Teams chats. 

• Identify who clicked risky links and the click outcomes (via Safe Links telemetry). 

• See where message warnings appear in the chat UI. 

• Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL). 

A couple hunts to try right now 

1) Malicious verdicts in Teams (last 24 hours) 
Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue.  

MessageEvents 

| where Timestamp > ago(1d) 

| where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" 

| project Timestamp, SenderDisplayName, SenderEmailAddress, 

          RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId 

Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed. 

 

2) “IT helpdesk” imposters in external DMs (last 5 days) 

Surface social-engineering lures that impersonate support. 

MessageEvents 

| where Timestamp > ago(5d) 

| where IsExternalThread == true 

| where (RecipientDetails has "help" and RecipientDetails has "desk") 

   or (RecipientDetails has "it"   and RecipientDetails has "support") 

   or (RecipientDetails has "working" and RecipientDetails has "home") 

   or (SenderDisplayName has "help" and SenderDisplayName has "desk") 

   or (SenderDisplayName has "it"   and SenderDisplayName has "support") 

   or (SenderDisplayName has "working" and SenderDisplayName has "home") 

| project Timestamp, SenderDisplayName, SenderEmailAddress, 

          RecipientDetails, IsOwnedThread, ThreadType, ReportId 

Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked. 

Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId. 

3) BONUS! External DMs with links (last 7 days) 

MessageEvents 

| where Timestamp > ago(7d) and IsExternalThread == true 

| join kind=inner (MessageUrlInfo) on TeamsMessageId 

| summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain 

| top 10 by Links desc 

4) Who clicked (Teams workload) – exposure view: 

UrlClickEvents 

| where Timestamp > ago(7d) and Workload == "Teams" 

| project Timestamp, AccountUpn, Url, ActionType 

| order by Timestamp desc 

 

“From Hunt to Action”: Respond & contain 

Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access. 

Why this matters 

• Speed: Shrink time from “we saw it” to “it’s blocked”.
• Consistency: Turns ad-hoc hunting into a repeatable response flow.
• Coverage: Pair URL blocking with identity and device containment. 

What you’ll see in the video 

1. Turn a hunt into an alert 
   In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage.
2. Block at click-time (Safe Links + TABL)
   In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links.
3. Post-delivery cleanup (ZAP)
   If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline.
4. Contain accounts and devices 
   • Revoke user sessions in Entra ID to invalidate active tokens. 

• • Reset the password (and require strong, unique credentials), then enforce MFA for the account. 

• • Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants. 

• • If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate. 

The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here. 

The hunt 

This KQL surfaces rare external domains in Teams and any user clicks. 

let lookback = 1d; 

// External Teams messages 

let externalMsgs = 

    MessageEvents 

    | where Timestamp > ago(lookback) and IsExternalThread == true 

    | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; 

// URLs found in Teams messages 

let urlsInMsgs = 

    MessageUrlInfo 

    | where Timestamp > ago(lookback) 

    | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; 

// Clicks coming from Teams 

let clicks = 

    UrlClickEvents 

    | where Timestamp > ago(lookback) and Workload == "Teams" 

    | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; 

// Define “rare” domains in the period 

let rareDomains = 

    urlsInMsgs 

    | summarize msgCount = dcount(TeamsMessageId) by UrlDomain 

    | where msgCount < 3; 

rareDomains 

| join kind=inner (urlsInMsgs) on UrlDomain 

| join kind=leftouter (externalMsgs) on TeamsMessageId 

| join kind=leftouter (clicks) on Url 

| project 

    Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), 

    UrlDomain, 

    Url, 

    SenderEmailAddress, 

    Clicker, 

    ClickTime, 

    ClickAction, 

    TeamsMessageId, 

    ReportId  = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId) 

 

After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts. 

What good looks like (response playbook) 

1. Alert fires → open incident; confirm scope and entities.
2. Block URL/domain via TABL to stop future clicks.
3. Confirm ZAP removed or marked delivered messages.
4. Revoke sessions and reset password; enforce MFA.
5. Review MFA methods and remove unknown devices/methods.
6. Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles.
7. If email abuse is suspected, check for forwarding or malicious Inbox rules.
8. Isolate device if execution is suspected; collect artifacts and un-isolate after remediation. 

 FAQs 

• Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply.
• Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template.
• What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status. 

Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain 

Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats.

##

Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content.

Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below! 

_____________

This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team.

Pierre Thoor
Microsoft Security MVP | Microsoft Defender for Office 365 Champ

 

 

 

 

 

 

 

 

 

 

Get Involved and Learn More

• Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space.
  • Follow = Click the heart in the upper right when you're logged in 🤍
• Learn more about the Microsoft MVP Program.
• Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
• Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
• Join the Microsoft Security Community LinkedIn