Microsoft is introducing a long-anticipated phishing and spam alert feature to Teams.
Teams has been a long-lasting target for bad actors intending to gain access to organisations’ systems and data, primarily via phishing and spam attempts. IT admins have been lobbying for more robust capabilities within Teams that can protect users, particularly less tech and internet-savvy users, from standard phishing and scam attacks. Microsoft is finally answering such calls.
The external phishing alert will be generally available in mid-February 2025, as outlined by the Microsoft 365 service update page:
This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to update any relevant documentation. We recommend that you educate your users on what the new high-risk Accept/Block screen means and remind users to proceed with caution.”
Microsoft is enhancing phishing protections in Teams by introducing automatic security checks for first-time messages from external sources. Users will see an “Accept or Block” prompt over potentially suspicious chats, reminding them to assess the risk before proceeding. Organisations can disable external messaging entirely via the Microsoft Teams Admin Center to eliminate exposure to external threats.
However, Microsoft still urges companies to proactively train employees to recognise and report phishing attempts to strengthen overall cybersecurity defences.
While it’s unclear how effective this feature might be against the more advanced phishing strategies of expert and well-financed actors, it will hopefully safeguard users and organisations against the majority of standard attacks.
A Challenging Cybersecurity 2024 For Microsoft
Microsoft is clearly treating cybersecurity with the seriousness it warrants as bad actors become ever more sophisticated, especially after a trying 2024.
Microsoft has mobilised the equivalent of 34,000 full-time engineers for its Secure Future Initiative (SFI), a major effort to bolster its security infrastructure following high-profile breaches.
Microsoft launched the SFI in November 2023 in the wake of escalating cybersecurity threats, most notably the Storm-0558 attack in July. This breach was attributed to Chinese hackers exploiting vulnerabilities in Microsoft Exchange Online and compromising US government emails. In April 2024, the US Cyber Safety Review Board (CSRB) criticised Microsoft for failing to implement adequate preventative measures.
In response, Microsoft reinforced SFI with a stronger security framework and a commitment to adopting CSRB’s recommendations. The company also introduced new security principles and objectives, signalling a more proactive approach to safeguarding its platforms against evolving threats.
Additionally, in May, Microsoft said it was linking the fulfilment of security goals with executive compensation in an expansion of SFI. That was further refined in August when a leaked Microsoft memo stated that not creating substantial work around security could negatively impact every worker’s salary increases, promotions, and bonuses. This extension of that policy to every employee intended to reinforce its commitment to “making security (its) top priority, above all else”.
However, there have still been notable incidents since the SFI expansion.
For instance, in October, it emerged that the ransomware group Black Basta has adopted a deceptive new tactic: impersonating Microsoft Teams IT support to breach enterprise systems and steal sensitive data. Their approach involves bombarding targeted employees with spam emails and then masquerading as the Microsoft helpdesk to offer assistance in resolving the issue.
Meanwhile, just before Christmas, it was confirmed that cybercriminals were targeting Teams users with “vishing” attacks.
As Trend Micro initially reported, cybercriminals are exploiting social engineering tactics via Teams calls to impersonate user clients and gain remote system access. This technique, known as vishing (voice phishing), mirrors traditional phishing by deceiving individuals into revealing sensitive information or granting access. However, unlike email-based phishing, vishing occurs over the phone or through calling apps, making it harder to detect and prevent.
