Microsoft Defender for Office 365 Teams URL Protection Now Live

Home » News
Yash Shield
News
Reading time icon 3 min. read

Calendar icon Published on

Microsoft Defender for Office 365 now protects Microsoft Teams from malicious URL clicks. Security teams receive instant alerts when users click dangerous links in Teams chats, channels, and meetings. Previously limited to email, this feature gives SOC analysts full visibility across collaboration platforms. It rolls out automatically to eligible tenants starting late February 2026.

Attackers increasingly target Teams for phishing and malware. They share malicious links that bypass traditional filters. Defender scans clicked URLs in real-time and reviews 48-hour click history. Alerts include the exact Teams message as evidence for faster investigations.

Two alerts trigger automatically:

  • “A user clicked through to a potentially malicious URL”
  • “A potentially malicious URL click was detected”

The feature carries Microsoft Roadmap ID 557549 and Message Center ID MC1239187. No admin configuration needed.

Coverage and Platforms

Defender monitors all Teams interaction types across platforms.

Teams AreaProtected NowPlatforms Supported
Private ChatsAll URL clicksAndroid, iOS, Mac, Web, Windows
Shared ChannelsChannel message linksAll desktop and mobile clients
Meeting ChatsIn-meeting shared URLsTeams desktop and web apps

Alerts appear on the Defender portal Alerts page with Teams message context. Incidents correlate Teams and email threats automatically.

Rollout Schedule

Microsoft deploys in phases for stability:

PhaseStart DateEnd DateRegions
Public PreviewLate Feb 2026Early Mar 2026Worldwide
General AvailabilityEarly Mar 2026Mid Mar 2026Commercial tenants
Government Clouds (GCC)Early May 2026Late May 2026GCC, GCCH, DoD

Required Licenses:

  • Microsoft Defender for Office 365 Plan 2
  • Microsoft 365 E5

SOC Investigation Workflow

New alerts provide rich context:

Alert Details Include:

  • Teams message with malicious URL
  • User who clicked the link
  • Timestamp and client platform
  • 48-hour click history
  • Incident correlation with email threats

KQL Hunting Query:

AlertEvidence
| where Timestamp > ago(1h)
| where ServiceSource == "Microsoft Defender for Office 365"
| where EntityType == "Url"
| where Title has "Teams"

Query identifies recent Teams malicious clicks. Run in Defender XDR Advanced Hunting.

Limitations and Next Steps

Automated Investigation and Response (AIR) not supported yet for Teams alerts. Manual investigation required.

SOC Preparation Steps:

  • Review alert volume expectations
  • Update incident response playbooks
  • Train analysts on Teams evidence
  • Test KQL queries now
  • Monitor rollout progress in Message Center

Feature enables automatically. No tenant configuration changes needed.

FAQ

What Teams content gets monitored?

Chats, shared channels, and meeting conversations.

Which licenses enable Teams URL protection?

Defender for Office 365 Plan 2, M365 E5.

When does public preview begin?

Late February 2026 worldwide.

Does AIR work with Teams URL alerts?

No, manual investigation only currently.

Where do Teams alerts appear?

Microsoft Defender portal → Alerts page.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages