Microsoft is expanding its security capabilities within Microsoft Teams by introducing malicious URL protection for private chats, a direct response to sophisticated phishing and ransomware campaigns that have targeted the platform’s 320 million users.1 This feature, currently in public preview, automatically scans URLs shared in private messages, group chats, and channels, providing real-time warnings to both senders and recipients if a link is identified as malicious.2 The development follows confirmed Black Basta ransomware attacks in mid-2024, where threat actors impersonated IT support personnel via Teams to deliver malicious links and QR codes.3 This update is part of a broader, coordinated effort to bolster phishing defenses across Microsoft’s productivity suite, which also includes new unverified sender warnings in Outlook Mobile.4
The new security layer operates by scanning URLs against Microsoft’s threat intelligence databases, which are managed by the Defender for Office 365 ecosystem.5 When a user attempts to send a link, or when a message containing a link is received, the system performs a reputation lookup. If the URL is flagged, a clear warning message is displayed within the chat interface, advising users to avoid interacting with the potentially dangerous content. This provides an immediate, in-context alert that can prevent successful phishing attempts.
For administrators, enabling this protection requires configuration within the Teams Admin Center or via PowerShell. The rollout is being managed in two distinct phases to allow for testing and gradual implementation. During the Targeted Release phase, which began in September 2025, the feature is off by default and must be manually enabled by an administrator.6 Crucially, in this initial phase, protection is only applied within a chat if every single participant has the feature enabled on their tenant. This ensures no degradation in functionality during early adoption but limits its initial effectiveness.
Administrative Configuration and Rollout Phases
The deployment of Malicious URL Protection is not a simple on/switch toggle for all organizations. Microsoft has outlined a phased approach, with specific requirements for when the scanning and blocking will be active within a conversation. The feature’s effectiveness is contingent on the configuration status of all participants involved in a chat, a detail critical for organizations with extensive external collaboration. The general availability phase, scheduled for November 2025, will see the feature enabled by default. The protection logic will also change, requiring only one participant in a chat to have the feature enabled for the entire conversation to be protected.6
Administrators have two primary methods for configuration. The first is through the Teams Admin Center GUI, navigating to `Messaging settings` > `Messaging safety` and enabling the option to `Scan messages for unsafe URLs`.1 For organizations that manage their environments through PowerShell, the equivalent command is `Set-CsTeamsMessagingConfiguration -UrlReputationCheck “Enabled” -Identity Global`. This integration with existing management tools simplifies the process for security teams already familiar with the Microsoft 365 administration ecosystem.
Differentiation from Existing Defender for Office 365 Protections
It is important to distinguish this new native Teams feature from the existing protections offered by Defender for Office 365 plans. The base Malicious URL Protection is available to all Teams users, regardless of their subscription tier. It provides a fundamental layer of security by blocking known-bad links at the time of sending or delivery. In contrast, Defender for Office 365’s Safe Links offering provides more advanced, click-time protection. Safe Links dynamically rewrites URLs and checks them at the moment a user clicks, offering defense against zero-hour exploits and time-bombed links that may become malicious after the initial message is sent.1
Another key difference is the post-delivery remediation capability of Defender for Office 365. Its Zero-hour Auto Purge (ZAP) feature can actively find and remove malicious messages that have already been delivered to a user’s mailbox or Teams chat. The new native feature lacks this retroactive clean-up ability, focusing instead on preemptive blocking. For organizations with Defender for Office 365, these features work in a complementary, layered defense strategy.
Context of the Evolving Threat Landscape
The impetus for this security enhancement is not theoretical. Analysis from security firms and news outlets has directly linked its development to a rise in attacks exploiting trusted communication channels. The Black Basta ransomware group, among others, identified Teams as a high-value target due to its pervasive use in enterprise environments and the inherent trust users place in messages received from colleagues or apparent external partners.3 Attackers frequently compromise the accounts of external vendors or partners and then use that trusted position to launch social engineering attacks from within a seemingly safe environment.
This attack vector is particularly effective because it bypasses many traditional email-focused security controls. An email from an unknown external sender might be treated with suspicion, but a chat message within a established Teams collaboration from a known contact name is far more likely to be clicked. As noted by IT consultancy Rocket IT, “Microsoft Teams is only as secure as the way it’s set up,” highlighting that while new features are vital, proper configuration of external access and security policies is equally important to mitigate risk.7
Parallel Security Initiatives: Outlook Mobile Warnings
Concurrent with the Teams update, Microsoft is rolling out a related security feature for Outlook Mobile on iOS and Android devices. This feature displays an “unverified sender” banner on emails that fail standard email authentication checks, namely SPF, DKIM, and DMARC.4 This is designed to combat spoofing and phishing, a threat that is especially potent on mobile devices where users are often distracted and email client interfaces can make traditional warning signs less obvious.
Unlike the Teams feature, which requires administrative configuration, the Outlook Mobile unverified sender banner is enabled automatically for all users and cannot be disabled by administrators. This indicates Microsoft’s commitment to applying baseline security protections universally. This mobile-focused update brings the application’s security posture in line with the desktop and web versions of Outlook, creating a consistent user experience and security baseline across all platforms.
Relevance and Strategic Recommendations
For security professionals, these updates represent a significant hardening of frequently targeted entry points. The Teams feature directly addresses a gap in social engineering defense that many organizations may not have adequately covered with existing tools. The fact that protection can be applied even if only one participant in a chat has it enabled lowers the barrier for overall ecosystem security, as a single security-conscious partner can help protect an entire conversation.
The immediate action item for administrators is to evaluate the current configuration of their Teams messaging policies. Enabling the `UrlReputationCheck` parameter should be considered a priority, especially for organizations that frequently collaborate with external entities. Furthermore, security teams should review and tighten their external access policies for Teams, ensuring that only necessary and verified domains are allowed to communicate with their users. This layered approach—combining platform-level security features with strict administrative policies—creates a more resilient environment.
While these new features provide valuable tools, they should be integrated into a broader security awareness training program. Users should be educated on the meaning of the new warning messages and encouraged to report them to their security teams. This human element remains a critical component of defense, turning individual warnings into collective threat intelligence that can be used to identify and block emerging campaigns more effectively.
In conclusion, the introduction of malicious URL protection in Microsoft Teams is a timely and targeted response to a confirmed and growing threat. By providing real-time, in-application warnings, Microsoft is adding a crucial layer of defense that can disrupt phishing campaigns at the point of execution. When combined with parallel enhancements in Outlook Mobile and a strategy of proper administrative configuration, these updates meaningfully improve the security posture of organizations relying on the Microsoft 365 ecosystem. Security teams should proactively enable and monitor these features as they become available.
