MC910976 - Microsoft Teams: Brand impersonation protection for Teams Chat

Updated January 24, 2025:November 27, 2024: We have updated the rollout timeline below. Thank you for your patience.

Coming soon to Microsoft Teams: A new feature to enhance the security in external collaboration. If your company allows external domains to contact your users in Teams, we will identify if an external user is impersonating a brand commonly targeted by phishing attacks during their initial contact with your user through Teams Chat. If we detect potential impersonation, we will show a high-risk alert to the user, notifying them to check for suspicious name/email and proceed with caution.

This message is associated with Microsoft 365 Roadmap ID 421190.

When this will happen:

Targeted Release: We will begin rolling out late October 2024 and expect to complete by late October 2024.

General Availability (Worldwide): We will begin rolling out mid-November 2024 and expect to complete by mid-February 2025December 2024 (previously mid-January)November).

How this will affect your organization:

Before this rollout: For organizations that have enabled Teams external access, user can receive messages from any user from external domain. Teams does not scan the sender for impersonation risks. When a user receives a chat invitation, the user can accept, or block, or preview the message. Note: Previewing the message does not put the organization at risk. 

After this rollout: If your organization enables Teams external access, we will check for potential impersonation activity when your user receives a message from an external sender for the first time. Your users will see a high-risk warning in the Accept/Block flow if we think there is potential impersonation risk, and users must preview the message before they can choose to Accept or block. If users choose to accept, we will prompt them again with potential risk before proceeding with Accept.

This security check will be done automatically. No admin configuration is required. Admins can check the audit log for impersonation attempts detected.

Teams detects an impersonation attempt in chat. In this case, the sender claims to be associated with Microsoft, but is not coming from a legitimate Microsoft domain:

When a user selects Preview their messages in the first screen, and then selects Accept, the user is alerted again to the potential for risk in this screen:

This feature will be on by default.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to update any relevant documentation. We recommend that you educate your users on what the new high-risk Accept/Block screen means and remind users to proceed with caution.

Before rollout, we will update this post with revised documentation.