Microsoft Teams to Enforce Messaging Safety Defaults
Microsoft is set to automatically enable key messaging safety features in Microsoft Teams for tenants using default configurations, starting January 12, 2026. The update will activate protections against weaponizable file types, real-time malicious URL detection, and a reporting mechanism for false positives, aiming to reduce the risk of malware and phishing attacks within enterprise collaboration environments. Organizations that have previously customized their messaging safety settings will not be affected by this change, as their preferences will remain in place.
End-users will experience changes such as warning labels on suspicious URLs and blocked messages when attempting to share high-risk file types. The reporting feature allows users to flag incorrect security detections, helping Microsoft refine its threat detection algorithms. IT administrators are advised to review and update their Teams configurations and internal documentation before the rollout to ensure a smooth transition and maintain desired security postures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Teams secure messaging defaults scheduled to take effect
Starting on this date, Teams will enable protections against weaponizable file types, malicious URLs, and false-positive reporting by default for standard-configured tenants. Users will see blocked risky file transfers and warning labels on suspicious content unless administrators change settings beforehand.
Microsoft announces Teams messaging safety defaults will turn on automatically
Microsoft said it will automatically enable Teams messaging safety protections for tenants still using default configurations, as part of a secure-by-default effort. The change will not override organizations that have already customized their messaging safety settings.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Teams External Domains Anomalies Report Security Feature
Microsoft is introducing a new security feature for its Teams collaboration platform called the "External Domains Anomalies Report," aimed at enhancing the detection of suspicious or risky interactions with external organizations. This tool, scheduled for rollout in February 2026, will provide IT administrators with behavioral analytics to identify unusual communication patterns, such as sudden spikes in message volume to specific external domains or interactions with previously unseen domains. The feature is designed to address the growing security challenges posed by increased external collaboration and remote work, offering actionable intelligence to help prevent data leaks, social engineering attacks, and unauthorized use of third-party services. The report will be available for standard multi-tenant cloud environments via the Teams web platform and will help organizations maintain a balance between productive cross-organization work and robust data protection. In addition to this new reporting capability, Microsoft continues to enhance Teams' security posture by warning users about malicious links, improving protections against unsafe file types, and introducing features to block unauthorized screen captures and streamline client performance. The External Domains Anomalies Report represents a proactive step in giving administrators early visibility into potential threats arising from external communications.
Mar 21, 2026
Microsoft 365 message security changes: Teams user reporting expansion and Exchange Online false-positive quarantines
Microsoft is expanding end-user reporting capabilities in **Microsoft Teams** by enabling **Defender for Office 365 Plan 1** customers to report suspicious messages directly in Teams (Roadmap ID `531760`), a capability previously limited to Plan 2. The feature is intended to strengthen collaboration-platform defenses by letting users classify messages as **Security Risk** (suspected phishing/malware/spam) or **Not a Security Risk** (false positives), providing additional signals to SOC workflows and improving detection for chat-based social engineering such as **BEC-style** lures delivered via Teams; the rollout is expected to complete by late March 2026 and requires administrative enablement. Separately, Microsoft acknowledged an **Exchange Online** service issue in which legitimate emails were incorrectly marked as phishing/spam and quarantined, disrupting some users’ ability to send/receive email. Microsoft attributed the false positives to a **new URL rule** that misclassified certain legitimate URLs/domains as malicious due to evolving detection criteria; some previously quarantined messages may begin reappearing as mitigations roll out, but other emails may remain quarantined until the fix is fully deployed, and affected organizations are advised to review quarantine for missing legitimate mail.
Mar 21, 2026
Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
Mar 21, 2026