Published on January 27, 2025
Microsoft Teams to Launch Phishing Attack Alerts for All Users Next Month
Severity
Medium
Detail
Microsoft has announced an upcoming roll-out of a brand impersonation protection feature for Teams Chat, aiming to strengthen defenses against phishing attacks. This feature is expected to be available to all Microsoft 365 customers by mid-February 2025.
The feature will be enabled by default. It will automatically detect and alerts users of potential phishing attempts when organizations have external Teams access enabled. External access allows users from outside domains to send messages, which threat actors often exploit to impersonate trusted entities. By identifying these risks, the new system provides an added layer of security for organizations vulnerable to such attacks.
The security mechanism introduces high-risk warnings in Teams Chat’s Accept/Block process for messages received from external users for the first time. When a potential impersonation is detected, users must preview the message and will be presented with additional risk warnings before choosing to accept or block the sender. These proactive measures encourage caution and reduce the likelihood of falling victim to phishing attempts.
The security feature targets a common attack vector used by cybercriminals. Threat actors, including state-sponsored groups, ransomware operators, and access brokers, frequently leverage brand impersonation to compromise systems. One notable example involved Russian state-backed hackers, known as Midnight Blizzard, who targeted government employees through Teams phishing campaigns while masquerading as Microsoft tech support.
The new protection system automates impersonation detection without requiring administrator intervention. Organizations can also monitor audit logs to identify phishing attacks flagged by the feature, providing further insights into attempted compromises.
Recommendation
Microsoft highlighted the need to educate users on the new warning screens and their significance. The company recommends training users to understand the high-risk Accept/Block notifications and encouraging them to exercise caution when interacting with messages flagged as potentially risky.
Source