Microsoft is rolling out a new security feature for Teams designed to help IT administrators identify and respond to suspicious external communications.
The External Domains Anomalies Report represents the company’s latest effort to strengthen security controls as the platform increasingly extends communication beyond intraorganizational boundaries.
Set to launch globally in February 2026, the monitoring tool aims to provide early warning signals of potential security risks without hampering legitimate business communications with external partners and clients.
How the External Domains Anomalies Report Works
The new feature uses pattern analysis to monitor how users within an organization communicate with external domains through Teams. It establishes a baseline of normal communication behavior, then flags deviations that could indicate security concerns.
Specifically, the system tracks three key indicators: sudden spikes in messaging volume with external parties, first-time communications with previously unknown domains, and unusual engagement patterns that deviate from established norms. Such behaviors could indicate that an account has been compromised.
When the system detects these anomalies, it surfaces actionable insights for administrators through a dedicated report. This gives security teams visibility into risky interactions before they escalate into data breaches or exfiltration incidents.
The tool is designed to balance security oversight with the practical reality that many organizations regularly collaborate with external partners, vendors, and customers.
Microsoft has confirmed that the feature will initially roll out to standard multi-tenant environments on the web platform. However, the company has not yet clarified whether organizations will need additional licensing to access this capability or if it will be included with existing Teams subscriptions.
Microsoft’s Broader Security Push Amid Rising Threats
This external domain monitoring feature arrives as part of Microsoft’s ongoing effort to enhance security throughout 2025.
Microsoft has been working to strengthen Teams’ defenses against malicious URLs and file types, recognizing that collaboration platforms have become prime targets for threat actors.
Earlier this year, the company introduced malicious link warnings that alert users when they send or receive private messages containing URLs flagged as threats.
On the heels of that announcement, Microsoft also released a feature allowing users to report false positives—messages incorrectly flagged as threats. This addition may have stemmed from an overzealous response to an onslaught of cyberattacks.
In October, Microsoft disclosed that it had revoked more than 200 certificates used by a threat actor in a sophisticated campaign targeting Teams users. The attack used realistic but fake download links for Microsoft Teams.
The certificate revocation incident underscores why Microsoft is prioritizing Teams security enhancements. As remote and hybrid work models become permanent fixtures, collaboration platforms have evolved from optional tools into business-critical infrastructure. This shift has naturally attracted more sophisticated attacks, forcing platform providers to continually evolve their security capabilities to stay ahead of emerging threats.
What This Means for Enterprise Security Teams
The External Domains Anomalies Report addresses a real security gap for organizations that rely heavily on Teams for external collaboration.
By integrating this capability directly into Teams, Microsoft is making such behavioral analysis more accessible to organizations without extensive security operations infrastructure.
For security teams, this feature provides a new data source for threat hunting and incident investigation. Combined with other Teams security features and broader Microsoft 365 telemetry, it offers a more comprehensive view of potential insider threats, compromised accounts, or data exfiltration attempts.
As seen with prior releases following a rise in false positives, the key to this feature’s effectiveness will be establishing clear baselines and tuning alert thresholds.
Fortunately, the February 2026 timeline should give organizations several months to prepare and address any licensing questions.
