Microsoft has unveiled a new security feature for its popular collaboration platform, Microsoft Teams, to combat phishing attacks through brand impersonation in external chats.
The feature, which will alert users to potential impersonation risks during initial contact from external domains, is set to roll out in phases starting late October 2024 and will be fully available worldwide by mid-February 2025.
The new security enhancement specifically targets scenarios where organizations allow external domains to communicate with their users via Teams. Cybercriminals often exploit such settings by impersonating trusted brands to initiate phishing attacks.
To counter this threat, Microsoft Teams will now scan messages from external senders during their first interaction with users. If the system detects a potential impersonation attempt, it will display a high-risk alert, urging users to carefully review the sender’s name and email address before proceeding.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
This initiative is part of Microsoft’s ongoing efforts to bolster cybersecurity across its platforms. The feature aligns with Microsoft 365 Roadmap ID 421190 and underscores the company’s commitment to safeguarding users against increasingly sophisticated phishing schemes.
Microsoft Teams New Security Feature
The rollout will occur in two stages:
- Targeted Release (Preview): Starting late October 2024, the feature will be made available to select users in the Targeted Release program and is expected to be completed within the same month.
- General Availability (Worldwide): The broader rollout will begin in mid-November 2024 and is scheduled for completion by mid-February 2025. This timeline marks a slight adjustment from the previously announced completion date of mid-January 2025.
Currently, Teams users can receive messages from external domains if their organization has enabled external access. However, these messages are not scanned for impersonation risks. Users have the option to accept, block, or preview such messages without any additional safeguards.

Once the new feature is implemented:
- External messages will be automatically checked for potential impersonation risks during initial contact.
- If a risk is detected, users will see a high-risk warning in the Accept/Block flow.
- Users must preview the message before deciding whether to accept or block it.
- Even after choosing to accept a message, users will receive an additional prompt warning them of potential risks before proceeding.

This security check will be enabled by default and requires no administrative configuration. Administrators can monitor impersonation attempts through audit logs.
For organizations that allow external collaboration via Teams, this feature adds an extra layer of protection against phishing attacks without disrupting workflows.
Users are encouraged to remain vigilant and familiarize themselves with the new high-risk alert system. Previewing messages remains a safe option that does not expose organizations to additional risks.
Microsoft has emphasized that no administrative action is needed ahead of the rollout. However, organizations are advised to update internal documentation and educate employees about the new feature. Training should focus on recognizing high-risk alerts and understanding how to handle potentially suspicious messages.
Microsoft plans to provide updated documentation closer to the rollout date to help organizations prepare effectively.
As phishing attacks evolve, Microsoft’s proactive approach demonstrates its dedication to protecting users from malicious actors. By integrating advanced security features directly into Microsoft Teams, the company aims to create a safer environment for external collaboration while maintaining ease of use for its customers.
With this new feature set to go live by February 2025, Microsoft Teams users can look forward to enhanced protection against one of today’s most prevalent cybersecurity threats.
Recent Attacks Targeting Microsoft Teams
Threat actors, including groups linked to FIN7 and Storm-1811, have been posing as IT support personnel on Microsoft Teams. They exploit the platform’s default settings to contact employees under the guise of resolving technical issues.
Attackers often begin by overwhelming victims with thousands of spam emails (a tactic known as “email bombing”) to create urgency and confusion. Shortly after, they initiate contact via Teams, claiming to be from the organization’s help desk.
Victims are tricked into granting remote access through tools like Microsoft Quick Assist or Teams’ screen-sharing feature. Once access is obtained, attackers deploy malware, steal credentials, and move laterally across networks.
Ransomware Attacks
These campaigns have been linked to ransomware operations, with attackers using their access to drop malicious files and execute ransomware payloads. For instance, the Black Basta ransomware has been deployed in some cases.
Sophos researchers observed over 15 incidents involving these tactics between November 2024 and January 2025, with a significant increase in activity in January 2025.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar