Microsoft is strengthening its cybersecurity ecosystem by extending Microsoft Defender for Office 365 (MDO) URL click alerts to Microsoft Teams.
Previously focused on email threats, this update gives security teams crucial visibility into potentially malicious activity happening within Teams messages.
As attackers increasingly target collaboration platforms, this enhancement proactively notifies administrators when users click on dangerous links, helping organizations stop threats before they cause significant damage.
In recent years, threat actors have shifted their focus toward enterprise collaboration applications.
As organizations rely heavily on Microsoft Teams for daily operations, attackers exploit this trust by sharing malicious links in internal and external chats.
By integrating click-time protection directly into Teams, Microsoft closes a critical security gap.
This helps prevent users from falling victim to phishing campaigns, credential theft, and malware distribution that might otherwise bypass traditional security filters.
Threat Detection Enhancements
Identified under Microsoft Roadmap ID 557549 and Message ID MC1239187, the Defender portal will now monitor and generate alerts for suspicious URL clicks within Microsoft Teams chats, shared channels, and meeting conversations.
| Feature Area | New Update (Teams Integration) |
|---|---|
| Monitoring Scope | URL protection now monitors link clicks within Microsoft Teams chats, shared channels, and meetings. |
| Alert Triggers | Existing malicious URL alerts automatically trigger for Teams clicks. |
| Investigation Evidence | Security alerts now include the specific Teams message as direct investigation evidence. |
| Incident Correlation | Teams signals correlate with email data for unified threat tracking. |
| Automated Response | Automated Investigation and Response (AIR) is not yet supported for Teams URL click alerts. |
Two existing Defender alerts will now automatically trigger for Teams activity:
- A user clicked through to a potentially malicious URL.
- A potentially malicious URL click was detected.
When a user clicks a malicious link, Defender for Office 365 scans the URL to check for past threats to establish a reputation.
The system also includes a 48-hour lookback period to identify and alert security teams about any previous clicks on the same link before it was officially weaponized.
This feature is enabled by default for eligible tenants and requires no changes to user workflows. The capability provides coverage across Android, iOS, Mac, Web, and Windows Desktop platforms.
| Phase | Timeline |
|---|---|
| Public Preview (Worldwide) | Late February 2026 – Early March 2026 |
| General Availability (Worldwide) | Early March 2026 – Mid-March 2026 |
| General Availability (GCC, GCCH, DoD) | Early May 2026 – Late May 2026 |
This update is detailed in the Microsoft 365 Message Center notice MC1239187 (shared publicly by Steven Lim) and further summarized by Hands-on Tek’s “M365 Admin” blog
Eligible licenses include Microsoft Defender for Office 365 Plan 2 and Microsoft 365 E5. This expansion significantly improves the efficiency of Security Operations Center (SOC) teams.
Alerts will appear directly on the Defender alerts page and include the associated Teams message as evidence, providing richer context for investigations.
Teams signals will be natively included in incident correlation, helping analysts connect related malicious activity across both email and Teams without switching investigation contexts.
For proactive threat hunting, security teams can utilize Advanced Hunting in Microsoft Defender XDR to track these specific alerts.
Below is a sample Kusto Query Language (KQL) query shared by Steven Lim to identify recent Teams-related malicious URL clicks:
textAlertEvidence
| where Timestamp > ago(1h)
| where ServiceSource == @"Microsoft Defender for Office 365"
| where EntityType == @"Url"
| where Title has "Teams"However, Automated Investigation and Response (AIR) will not be supported for Teams URL click alerts.
Security administrators do not need to take any manual action to enable this feature, as it rolls out automatically.
Organizations should review their alert workflows and update incident response playbooks to accommodate the new influx of Teams-based alerting.
IT helpdesk and SOC teams should be informed about these new signals to ensure a rapid response to collaboration-based threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
