Microsoft Teams Security Hardening: Default Protections and New Defender Features for Early 2026

Microsoft is implementing a significant shift in the default security posture of its Microsoft Teams collaboration platform, moving key messaging safety features from an opt-in model to being enabled by default for most tenants starting in January 2026¹. This change, detailed in Message Center notification MC1200576, is part of a broader suite of security enhancements rolling out in early 2026, including the expansion of Zero-Hour Auto-Purge (ZAP) to Teams and deeper integration with the Microsoft Defender for Office 365 stack^{5, 7}. For security teams, these updates represent a substantial change in the threat surface and incident response workflow for one of the most widely used corporate communication tools.

The core update involves three specific “Messaging safety” protections in the Teams admin center. For any tenant using the default global configuration—meaning administrators have not manually adjusted these settings—Microsoft will automatically turn on Weaponizable File Type Protection, Malicious URL Protection, and the “Report Incorrect Security Detections” feature beginning January 12, 2026^{1, 4}. Organizations with custom configurations will see their existing settings preserved. The file protection blocks attachments with extensions like .exe or .js, while URL protection scans links in chats and channels. The reporting function, which requires Defender for Office 365 Plan 2, allows end-users to flag potential false positives directly from the warning message¹.

Administrator Review and Rollout Clarification

Microsoft advises administrators to proactively review their current settings before the January 12 rollout. The relevant configuration page is located at Teams admin center > Messaging > Messaging settings > Messaging safety^{1, 4}. This review is critical because there has been some confusion in the rollout timeline. An earlier Message Center announcement (MC1148540) had prematurely indicated the feature was generally available and defaulted to “On,” leading some tenants to see the setting enabled. Microsoft has since clarified that the global default change was postponed to early 2026^{2, 6}. Tenants that previously saw the setting as “On” may now find it reverted to “Off” until the scheduled January update. This is a global configuration change and is not the result of individual admin or Defender policy modifications.

Zero-Hour Auto-Purge (ZAP) Comes to Teams

In a related and equally significant security update, Microsoft Defender for Office 365 Plan 1 will gain Zero-Hour Auto-Purge (ZAP) protection for Microsoft Teams messages. Starting January 6, 2026, this feature will be default-on for all Plan 1 tenants, with rollout completion expected in early to mid-January⁵. ZAP for Teams operates similarly to its email counterpart: after a message is delivered, if Defender later identifies it as phishing or containing malware, the system will automatically move the message from the user’s chat into the admin quarantine. This provides a critical post-delivery remediation capability for threats that evade initial detection.

The operational impact for security analysts will be a new location to monitor and manage quarantined items. Teams messages caught by ZAP can be reviewed in the Microsoft Defender portal under Security Portal → Quarantine → Teams⁵. Importantly, end-users receive no direct notification when a message they’ve sent or received is purged, placing the responsibility for investigation and communication on the security operations team. Organizations that wish to opt out of this auto-enablement have a window to do so between December 6, 2025, and January 5, 2026⁵.

Enhanced Security Management and Integration

The security updates extend beyond automated protections into administrative controls. A key integration point is the ability to block external users in Teams directly from the Microsoft Defender portal’s Tenant Allow/Block List (TABL). This feature, referenced in MC1200058 and rolling out in January 2026, allows security admins to block up to 4,000 domains and 200 email addresses, with actions logged for audit purposes⁷. This reflects a strategic move by Microsoft to centralize security policy management across its productivity and security suites, reducing the need to switch between the Teams admin center and the Defender portal for related tasks.

Further tightening external access controls, Microsoft’s official release notes detail several granular security features⁹. These include impersonation and brand protection for initial contact messages, the ability for users to report security risks in external chats, and controls to block chat access in meetings with external or anonymous users. New research data also highlights an external access invite flow where users are prompted to accept or block new 1:1 chats from unmanaged users, giving individuals more direct control¹¹. For organizations requiring strict control, Microsoft recommends using PowerShell to manage external chat policies, such as modifying the UseB2BInvitesToAddExternalUsers attribute in TeamsMessagingPolicy^{3, 8}.

Broader Security Context and the “Chat with Anyone” Feature

These hardening measures arrive alongside the rollout of a new user feature called “Chat with Anyone,” which has raised concerns among security analysts^{3, 8}. This feature allows users to start chats with external participants using only an email address, potentially simplifying the process for threat actors to initiate contact within what users may perceive as a trusted corporate environment. Experts warn this could expand the attack surface, making phishing and social engineering campaigns easier, as malicious files shared in Teams chats might bypass traditional email security filters⁸. The concurrent enabling of default security protections appears to be a direct counterbalance to the risks introduced by this increased connectivity.

The relevance of these changes for security professionals is multifaceted. For blue teams and SOC analysts, the automatic quarantine of Teams messages via ZAP introduces a new data source for incident investigation. Teams chat data, which may contain malicious links or files, will now appear alongside email in the Defender quarantine. This necessitates updated runbooks and training for analysts to review and release items if needed. The default blocking of weaponizable file types will reduce alert volume for endpoint protection tools but may also be tested by adversaries using alternative file extensions or delivery methods.

For red teams and threat simulation exercises, the new defaults change the operational landscape. The automatic scanning and blocking of common malware extensions within Teams will close a potential delivery channel, requiring testers to use more sophisticated file types or social engineering to bypass these controls. The “Report Incorrect Security Detections” feature also means that if a simulated phishing message is flagged, an aware user could report it, potentially generating a different type of alert for the blue team to analyze. Understanding these integrated protections is essential for crafting realistic attack simulations.

Actionable Recommendations for Security Teams

Based on the announced changes, security teams should take the following steps before January 2026:

1. Audit Current Configurations: Review both the Messaging Safety settings in the Teams admin center and the ZAP/Defender configurations in the Defender portal. Document any custom settings to understand what will change.
2. Make a Conscious Policy Decision: Determine if the new defaults align with organizational risk tolerance. Decide whether to allow the auto-enablement, customize settings (e.g., disabling certain protections), or opt out of ZAP for Teams within the provided window.
3. Update Operational Processes: Inform helpdesk and SOC teams about the new user experiences (e.g., warning labels for blocked files/links) and new admin workflows, particularly reviewing the Teams message quarantine in the Defender portal.
4. Reinforce User Training: Update security awareness materials to cover threats via Teams chats, educate users on the new “Report” function for false positives, and highlight the risks associated with unsolicited external chat requests, especially with the “Chat with Anyone” feature active.

In conclusion, Microsoft’s early 2026 security updates for Teams represent a concerted effort to harden the platform’s defenses by shifting the burden of security from optional configuration to a secure-by-default stance. The integration of Teams deeper into the Defender for Office 365 ecosystem, through ZAP and the Tenant Allow/Block List, provides security teams with more centralized control and remediation capabilities. However, these improvements are coupled with features that increase connectivity, underscoring the need for continuous vigilance, updated processes, and user education. For security professionals, these changes are not merely a configuration update but a significant evolution in the security model of a critical enterprise communication tool.

References

1. Topedia Blog, “Microsoft will enable new messaging safety protections in Teams starting January 2026,” Dec. 21, 2025. [Online]. Available: https://topedia.com/blog/microsoft-teams-messaging-safety-defaults-january-2026
2. Microsoft Q&A, “Messaging Safety was ON on Teams admin center which got turned off,” Dec. 15, 2025. [Online]. Available: https://learn.microsoft.com/en-us/answers/questions/1723453/messaging-safety-was-on-on-teams-admin-center-whic
3. Paubox Blog, “New Microsoft Teams feature raises security flags,” Nov. 21, 2025. [Online]. Available: https://www.paubox.com/blog/new-microsoft-teams-feature-raises-security-flags
4. A. van Grondelle, “Teams admin center: Messaging safety defaults changing to On by default,” LinkedIn, Dec. 20, 2025. [Online]. Available: https://www.linkedin.com/pulse/teams-admin-center-messaging-safety-defaults-changing-on-van-grondelle
5. DMC Technology Group, “New Security Enhancement Coming to Microsoft Defender for Office 365: Zero-Hour Auto-Purge (ZAP) for Microsoft Teams,” Dec. 4, 2025. [Online]. Available: https://dmctechnologygroup.com/blog/new-security-enhancement-coming-to-microsoft-defender-for-office-365-zero-hour-auto-purge-zap-for-microsoft-teams
6. Microsoft Q&A (en-ie), Duplicate of source [2], confirming the information.
7. N. Á. Silva, “Office 365 changes – 15 to 19 December News #446,” Weekly Digest, Dec. 20, 2025.
8. GBHackers / Cyber Security News, “New Microsoft Teams Feature Exposes Users to Phishing and Malware Risks,” Nov. 8, 2025. [Online]. Available: https://gbhackers.com/new-microsoft-teams-feature-exposes-users-to-phishing-and-malware-risks
9. Microsoft, “Release notes for Microsoft Teams – Office release notes,” Dec. 12, 2025. [Online]. Available: https://learn.microsoft.com/en-us/officeupdates/teams-admin
10. Microsoft Message Center Announcements (MC Codes): MC1200576, MC1200058, MC1133508, MC1200577, MC1194070, MC1198705, MC1182702, MC1139488, MC1139489, MC1199767, MC1197145, MC1197146, MC1200579, MC1199763, MC1198078, MC1198079, MC1186367, et al. (Dates ranging from Dec. 15, 2025 to Dec. 19, 2025).
11. New Research Data: Extracted from Microsoft’s comprehensive Teams feature update list (as of Dec. 11, 2025), providing granular details on security controls, end-user features, and admin tools.