Microsoft Teams URL-Scanning: Phishing simulations and configuration reviews

By
3 Minutes Read

By Daniel Zinanti, Information Security Analyst, TraceSecurity

Remote collaboration platforms like Microsoft Teams have evolved from productivity tools into major components of an organization’s attack surface. With its explosive adoption over the last several years, Teams has become a prime target for phishing, business email compromise (BEC), and malicious link campaigns. Microsoft has now taken a notable step forward: extending its Defender for Office 365 Safe Links technology directly into Teams.

This update presents both opportunities and challenges for security practitioners, and it also directly impacts how we approach both phishing simulations and Microsoft 365 configuration reviews.

What’s New: Safe links expands into Teams

Microsoft has officially extended time-of-click URL scanning to the Teams ecosystem. This means any link shared in 1:1 chats, Group chats, or Teams channels can now be scanned at click time and blocked or warned on if identified as malicious or suspicious.

The Safe Links policy for Teams allows administrators to:

  • Enable or disable URL scanning within Teams

  • Configure user notification behavior

  • Control exceptions or overrides

  • Determine which users or groups receive protections

The rollout has already begun across tenants, and in many cases, the feature is enabled by default, making it a new baseline layer of protection inside collaboration tools.

However, like all automated security controls, this is not a silver bullet. Attackers will inevitably evolve their approach, and that’s where our services remain critical.

Why This Change Matters for Third Parties

Teams is no longer a side channel. It is a full-scope threat vector. For third parties, this impacts both sides of our service line:

  • Teams-based phishing simulations

  • Microsoft 365 security and configuration reviews

Impact on Teams Phishing Simulation Services

Our phishing simulations have historically emphasized email as the primary attack vector. While Teams has always been part of the collaboration threat landscape, its built-in defenses were limited until now.

Safe Links in Teams shifts expectations and requires us to evolve our approach:

New attack surfaces

Attackers increasingly initiate phishing through Teams messages, external guest chats, and channel posts. Our simulations must now cover these modern entry points.

Baseline protections now exist

Because Safe Links may already warn or block malicious URLs, simulation scenarios must adapt. This may include testing techniques like:

  • Link cloaking

  • Delayed payload delivery

  • Socially engineered conversational context

  • Use of guest or federated access pathways

Our value increases

Organizations may incorrectly assume that built-in scanning makes Teams “safe now.” We must demonstrate whether those protections actually work, and where gaps remain.

Client expectation setting

Proposals and statements of work should clearly note that simulations will test Teams-based link protections and collaboration-layer phishing resilience.

Impact on Microsoft 365 Configuration Reviews

From a configuration review standpoint, this change is now a required assessment item. We must evaluate:

  • Whether Safe Links for Teams is enabled

  • What policies are configured

  • Which users or groups are protected

  • Whether warnings can be bypassed

  • Whether administrators review alerts and logs

Since the feature may be enabled by default, it is critical to determine if clients:

  • Disabled it

  • Overrode Microsoft defaults

  • Failed to monitor or log events

  • Implemented inconsistent group policies

Teams is now a core element of organizational security posture. If we ignore this control during configuration audits, we miss a major part of the threat surface.

How We Adapt: Recommended updates across our services

Here are highly actionable steps third-party cybersecurity firms can implement today:

For Phishing Simulation Services

  • Expand our scenario library
    Include Teams-based lures such as channel posts, direct messages, shared files, and guest/federated chats.

  • Strengthen client communication
    Explain that simulations will evaluate Teams as a phishing vector and validate user behavior.

  • Enhance remediation guidance
    Provide tailored recommendations relating to Teams usage, including governance and external access.

For Microsoft 365 Configuration Reviews

  • Add Safe Links for Teams as a standard review item
    Confirm status, scope, policy configuration, and exceptions.

  • Assess default vs. customized settings
    Identify whether the organization has unintentionally weakened protections.

  • Evaluate logging and monitoring
    Ensure Teams link-click events are recorded, accessible, and actionable.

  • Update our documentation and baselines
    Include collaboration-layer protections as part of “minimum security posture,” not optional coverage.

  • Provide user-awareness recommendations
    Safe Links helps, but user vigilance still matters. Training must adapt to the collaboration-first landscape.

Key Takeaways

  • Safe Links expansion into Teams is a major shift in Microsoft’s security model

  • Attackers will continue targeting Teams, but now they must work harder

  • Our phishing simulations remain essential and must evolve to keep pace with real-world attacker behavior

  • Our Microsoft 365 configuration reviews must now treat Teams URL scanning as a required control

  • Built-in protections are helpful, but layered security, user training, governance, monitoring, and incident response remain non-negotiable

Final Thoughts

The integration of Safe Links into Teams reinforces a simple truth: collaboration platforms are no longer peripheral; they are central to an organization’s security posture. As security professionals, we must adapt our phishing simulations, configuration reviews, and client guidance accordingly. Our mission remains unchanged: help organizations understand their true threat surface and build resilient, actionable defenses. Safe Links in Teams is one more tool in that mission, but it is not the last line of defense.

Connect with TraceSecurity to learn more.
Picture of TraceSecurity

TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.

Author

Recommended For You