Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response

New Layers of Protection for Teams Messages

With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender.

Threat Profile – Tech Support Impersonation with Phishing URLs

In previous blogs, we’ve discussed how threat actors are employing multimodal attacks and targeting users in an organization over Teams by impersonating tech support.  Lately some of these attackers have been observed steering their victims towards malicious websites that appear purpose-built to complete their harmful objectives while allaying the victim’s suspicions.

The typical attack chain proceeds as follows:

1. Hybrid attacks often begin with mail bombing (spam) directed at the targeted individual, followed by Teams messages or calls in which the attacker impersonates IT support personnel offering to resolve the spam issue.
2. Victims may then be deceived into granting system access to the attacker via remote management and monitoring tools such as Quick Assist or AnyDesk.
3. In recent incidents, attackers have directed victims to malicious URLs that closely resemble legitimate internal IT security update or patching tools, featuring falsified logos and branding.
4. These sites are actually conventional phishing platforms intended to capture user credentials and enable malware deployment, while victims believe their spam problem is being resolved.

Below: Rendering of a malicious URL shared over Teams by an attacker to an intended victim

Microsoft Defender uses robust detection engines and threat intelligence to support URL warnings, post-delivery protection, and advanced hunting for Teams, enabling comprehensive protection against evolving attack vectors.

Near real-time defense

For Worldwide customers with Teams enterprise licenses and above

Our new advanced near-real-time protection ensures that any message containing URLs is thoroughly scanned and appropriately flagged before delivery. End users are notified with a warning tip upon messages delivery when malicious URLs are detected, helping them recognize and avoid potential risk. Threats don’t always appear right away, to stay ahead of evolving attacks, protection continues for up to 48 hours after a message is delivered. If a previously safe URL later becomes weaponized, the message is automatically updated with a warning tip, ensuring users remain protected even after the message reaches them.

This dual-layered approach means:

• Immediate warnings for messages with known malicious URLs.
• Post-delivery detection that adapts to evolving threats.
• Protection across internal and external communications, including chats and channels, regardless of tenant origin.

These capabilities powered by Microsoft Defender will provide out-of-the-box protection as it will be enabled by default and will be available for all Teams enterprise users, with no additional configuration required. This ensures that every user benefits from advanced protection.

Figure 1: Recipient view of message warnings

Figure 2: Sender view of message warnings

Empowering Users and SOC Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

Security is a shared responsibility. We’re enabling users to report false negatives (FN) and false positives (FP) directly from Teams messages. These reports feed into Microsoft Defender investigation workflows, helping improve detection accuracy and reduce support overhead.

Users can now report potentially malicious messages or messages incorrectly detected as malicious directly from the message context menu in Microsoft Teams:

• Report as security risk: For messages that seem suspicious but weren’t flagged.
• Report as not security risk: For messages that were flagged but are actually safe.

This enables users to actively contribute to their organization's security management and protection efforts, while simultaneously enhancing the accuracy of Microsoft Defender detection controls. Reports may be submitted for both internal and external communications including chats, meetings, and channels ensuring comprehensive coverage across all collaboration platforms such as Teams web, desktop, and mobile clients. Upon submission, these reports are accessible to administrators and security operations personnel in the Microsoft Defender portal as incidents, where they can efficiently triage, investigate, and respond.

Figure 3: Report a concern

Figure 4: Report a wrong detection

Holistic Visibility for Security Operation Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

Security Operation teams need context, coverage, and control. That’s why we’ve introduced three new Advanced Hunting tables in Microsoft Defender designed specifically to surface Microsoft Teams message metadata and enable deep investigations across both internal and external communications.

• MessageEvents: Captures metadata for all Teams messages containing URLs at the time of delivery.
• MessagePostDeliveryEvents: Surfaces messages that were flagged as malicious after delivery, including Zero-hour auto purge (ZAP) actions.
• MessageURLInfo: Provides granular details on URLs extracted from Teams messages.

These tables are now generally available in the Microsoft Defeder portal providing direct insight into Teams message flows.

SOC teams can now hunt across all external (federated) messages, not just messages that contain URLs. This is a major step forward in enabling cross-tenant threat detection and response, especially in today’s hybrid collaboration environments. All three tables are accessible via Advanced Hunting APIs and Streaming APIs, allowing SOC teams to integrate hunting workflows into their existing automation pipelines.

To further enhance visibility, we’ve added a new column called SafetyTip to both the MessageEvents and MessagePostDeliveryEvents tables. This column flags whether a URL warning tip was shown to the user in the Teams client, helping SOC teams distinguish between warning and block detections.

Figure 5: Hunt on message warnings

Third-party security information and event management (SIEM) solutions can also integrate with and utilize these hunting tables via the Microsoft Defender Streaming API. For instance, in Splunk, the new tables may be configured to automatically flow into your Splunk instance, supporting extended data retention by leveraging the latest version of the Microsoft Defender Splunk connector. It is important to ensure that the new Teams protection tables are selected during connector configuration to enable the continuous transfer of relevant data.

Figure 6: Connector config and version needed to connect to 3rd party SIEMs

Empower Security Teams to Act Against Threats

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

We’ve introduced a powerful new capability that gives security teams greater control and confidence when managing potential risks in Teams. With this feature, security admins can investigate suspicious conversations in Advanced Hunting and instantly remove internal users from unsafe chats, revoking their access and clearing all prior chat history to prevent further exposure. This proactive step ensures employees stay protected from threat actors and sensitive information remains secure.

The experience is streamlined through the Action Wizard, accessible directly from the Teams entity flyout, making remediation fast and intuitive. Every action is fully traceable in Action Center, providing a centralized view for monitoring and validating security interventions, while audit logs deliver records for reporting. These capabilities empower organizations to contain risks in real time, strengthen collaboration security, and maintain trust across their digital workplace.

Figure 7: remove a user from a conversation directly from the defender portal

Response capabilities for Security Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

In addition to these enhanced detection, investigation and hunting capabilities, security team members are now able to perform advanced response actions for Microsoft Teams directly in the Microsoft Defender portal. Security Operations Center (SOC) analysts and admins can directly block malicious domains from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains list without leaving their security workflows and switching portals. This capability enables near real-time protection when suspicious or abusive external organizations are identified. SOC teams can immediately block suspicious organizations, effectively halting new external chat messages, invites, and channel communications from those domains while deleting existing ones. These controls empower organizations to react to emerging risks in minutes, all while maintaining compliance and reducing operational overhead.

Figure 8: Block domains in Teams via TABL

Expanding Admin Quarantine and Zero-Hour Auto-Purge (ZAP) to MDO P1

We are also extending the power of Zero-hour auto-purge (ZAP) and Teams admin quarantine to even more customers, bringing this post-delivery protection layer to Microsoft Defender for Office 365 Plan 1. This reinforces our commitment to secure-by-default protection across all Microsoft Teams environments.

ZAP automatically moves malicious messages containing phishing or malware URLs from internal Teams chats and channels to admin quarantine in the Microsoft Defender portal. This post-delivery protection ensures that even if a threat evades initial detection, it can be neutralized before causing harm.

This capability will be enabled by default for all Microsoft Teams customers with Microsoft Defender for Office Plan 1, providing immediate protection without requiring additional configuration. Security admins maintain full control through the Microsoft Defender portal, where quarantined Teams messages can be reviewed, managed, and released if needed. This expansion ensures more customers benefit from continuous, automated threat removal, strengthening protection across Teams with no extra effort required

These new protections reflect our commitment to delivering security that scales effortlessly with the way people work today. By combining real-time detection, post-delivery protection, and user-driven feedback loops, we’re giving organizations the tools to stay ahead of emerging threats without slowing down collaboration.

These capabilities are engineered to operate efficiently in the background, providing assurance and proactive security measures. This enables frontline workers, IT administrators, and SOC analysts to concentrate on their core responsibilities while maintaining a secure working environment.

To learn more

1. https://learn.microsoft.com/defender-office-365/mdo-support-teams-about
2. https://learn.microsoft.com/defender-office-365/mdo-support-teams-quick-configure
3. https://learn.microsoft.com/defender-office-365/mdo-support-teams-sec-ops-guide