By Daniel Zinanti, Information Security Analyst, TraceSecurity
Remote collaboration platforms like Microsoft Teams have evolved from productivity tools into major components of an organization’s attack surface. With its explosive adoption over the last several years, Teams has become a prime target for phishing, business email compromise (BEC), and malicious link campaigns. Microsoft has now taken a notable step forward: extending its Defender for Office 365 Safe Links technology directly into Teams.
This update presents both opportunities and challenges for security practitioners, and it also directly impacts how we approach both phishing simulations and Microsoft 365 configuration reviews.
Microsoft has officially extended time-of-click URL scanning to the Teams ecosystem. This means any link shared in 1:1 chats, Group chats, or Teams channels can now be scanned at click time and blocked or warned on if identified as malicious or suspicious.
The Safe Links policy for Teams allows administrators to:
Enable or disable URL scanning within Teams
Configure user notification behavior
Control exceptions or overrides
Determine which users or groups receive protections
The rollout has already begun across tenants, and in many cases, the feature is enabled by default, making it a new baseline layer of protection inside collaboration tools.
However, like all automated security controls, this is not a silver bullet. Attackers will inevitably evolve their approach, and that’s where our services remain critical.
Teams is no longer a side channel. It is a full-scope threat vector. For third parties, this impacts both sides of our service line:
Teams-based phishing simulations
Microsoft 365 security and configuration reviews
Our phishing simulations have historically emphasized email as the primary attack vector. While Teams has always been part of the collaboration threat landscape, its built-in defenses were limited until now.
Safe Links in Teams shifts expectations and requires us to evolve our approach:
New attack surfaces
Attackers increasingly initiate phishing through Teams messages, external guest chats, and channel posts. Our simulations must now cover these modern entry points.
Baseline protections now exist
Because Safe Links may already warn or block malicious URLs, simulation scenarios must adapt. This may include testing techniques like:
Link cloaking
Delayed payload delivery
Socially engineered conversational context
Use of guest or federated access pathways
Our value increases
Organizations may incorrectly assume that built-in scanning makes Teams “safe now.” We must demonstrate whether those protections actually work, and where gaps remain.
Client expectation setting
Proposals and statements of work should clearly note that simulations will test Teams-based link protections and collaboration-layer phishing resilience.
From a configuration review standpoint, this change is now a required assessment item. We must evaluate:
Whether Safe Links for Teams is enabled
What policies are configured
Which users or groups are protected
Whether warnings can be bypassed
Whether administrators review alerts and logs
Since the feature may be enabled by default, it is critical to determine if clients:
Disabled it
Overrode Microsoft defaults
Failed to monitor or log events
Implemented inconsistent group policies
Teams is now a core element of organizational security posture. If we ignore this control during configuration audits, we miss a major part of the threat surface.
Here are highly actionable steps third-party cybersecurity firms can implement today:
Expand our scenario library
Include Teams-based lures such as channel posts, direct messages, shared files, and guest/federated chats.
Strengthen client communication
Explain that simulations will evaluate Teams as a phishing vector and validate user behavior.
Enhance remediation guidance
Provide tailored recommendations relating to Teams usage, including governance and external access.
Add Safe Links for Teams as a standard review item
Confirm status, scope, policy configuration, and exceptions.
Assess default vs. customized settings
Identify whether the organization has unintentionally weakened protections.
Evaluate logging and monitoring
Ensure Teams link-click events are recorded, accessible, and actionable.
Update our documentation and baselines
Include collaboration-layer protections as part of “minimum security posture,” not optional coverage.
Provide user-awareness recommendations
Safe Links helps, but user vigilance still matters. Training must adapt to the collaboration-first landscape.
Safe Links expansion into Teams is a major shift in Microsoft’s security model
Attackers will continue targeting Teams, but now they must work harder
Our phishing simulations remain essential and must evolve to keep pace with real-world attacker behavior
Our Microsoft 365 configuration reviews must now treat Teams URL scanning as a required control
Built-in protections are helpful, but layered security, user training, governance, monitoring, and incident response remain non-negotiable
The integration of Safe Links into Teams reinforces a simple truth: collaboration platforms are no longer peripheral; they are central to an organization’s security posture. As security professionals, we must adapt our phishing simulations, configuration reviews, and client guidance accordingly. Our mission remains unchanged: help organizations understand their true threat surface and build resilient, actionable defenses. Safe Links in Teams is one more tool in that mission, but it is not the last line of defense.
Connect with TraceSecurity to learn more.