Microsoft is expanding its threat detection capabilities by extending Microsoft Defender for Office 365 (MDO) URL click alerting into Microsoft Teams.
This critical update allows security teams to detect, investigate, and respond to potentially malicious link clicks within Teams messages, expanding threat monitoring beyond traditional email vectors.
By surfacing these alerts, organizations can identify threats earlier and prevent lateral movement.
Key Feature Enhancements
With this integration, two existing MDO alerts will seamlessly trigger for Teams messages:
- A user clicked through to a potentially malicious URL.
- A potentially malicious URL click was detected.
These alerts surface directly on the Microsoft Defender alerts page alongside standard email alerts.
To provide richer context, the alerts include the specific Teams message as investigation evidence, reducing the need for analysts to switch platforms.
Teams signals will also be natively included in incident correlation, automatically linking related threat activity across environments.
According to researcher Steven Lim, this automated integration requires no workflow changes for end users but significantly boosts the efficiency of Security Operations Center (SOC) teams.
Note that Automated Investigation and Response (AIR) is not currently supported for these specific Teams alerts.
| Affected Category | Description and Eligibility Requirements |
|---|---|
| Eligible Licenses | Organizations licensed for Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 . |
| Security Teams | Security admins and SOC analysts monitoring alerts in the Microsoft Defender portal . |
| End Users | Individuals sending or receiving Microsoft Teams messages containing embedded URLs . |
| System Status | The feature is enabled by default for all eligible tenants; no manual activation is required . |
Organizations should begin reviewing incident response playbooks to accommodate these new Teams-based signals.
The official rollout follows a structured timeline based on the organization’s tenant type.
| Release Phase | Rollout Start Date | Expected Completion Date |
|---|---|---|
| Public Preview (Worldwide) | Late February 2026 | Early March 2026 |
| General Availability (Worldwide) | Early March 2026 | Mid-March 2026 |
| General Availability (GCC, GCCH, DoD) | Early May 2026 | Late May 2026 |
For proactive threat hunting, security teams can utilize Advanced Hunting in Microsoft Defender XDR to track these specific alerts.
Below is a sample Kusto Query Language (KQL) query to identify recent Teams-related malicious URL clicks:
textAlertEvidence
| where Timestamp > ago(1h)
| where ServiceSource == @"Microsoft Defender for Office 365"
| where EntityType == @"Url"
| where Title has "Teams"
Custom detection triggered -> Email Notification -> SecOps Teams Channel / Monitoring Email
Action Items for Security Teams
To ensure a smooth transition, security administrators should complete several preparation steps:
- Update existing SOC documentation to include Microsoft Teams message analysis.
- Inform internal security analysts about the new alerting mechanism to handle potential escalations.
- Integrate the provided KQL query into custom detection rules to automate SecOps notifications.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
