By adding Microsoft Defender for Office 365 (MDO) URL click alerts to Microsoft Teams, Microsoft is improving threat detection. Security teams can now identify, investigate, and prevent dangerous link clicks in Teams messages thanks to this update. It goes beyond email threats to identify threats before they become serious and prevent attackers from spreading throughout networks.

Important Feature Improvements For Teams, two MDO alerts are currently active: Both "A potentially malicious URL click was detected" and "A user clicked through to a potentially malicious URL." As proof, these appear on the Microsoft Defender alerts page along with the entire Teams message. Platform switching is avoided by analysts in favor of quicker checks. Teams signals automatically connect threats across tools by joining incident correlation as well.

No user modifications are required, according to researcher Steven Lim, but SOC efficiency increases.

For the time being, Automated Investigation and Response (AIR) ignores these warnings. Description of the Category and Eligibility Criteria Licenses That Qualify Microsoft 365 E5 Security Teams or Microsoft Defender for Office 365 Plan 2 SOC analysts and administrators in the Microsoft Defender portal Final Users Anyone using URLs to send or receive Teams messages Status of the System By default, enabled; no activation is required. Phase of Release Date of Rollout Start Anticipated Finish Date Global Public Preview Late February 2026 Early in March of 2026 Worldwide General Availability Early in March of 2026 In the middle of March 2026 Availability in general (GCC, GCCH, DoD) In early May of 2026 Late May 2026 Features are released according to tenant type.

Playbooks should be updated immediately for Teams signals.

Click on the Teams URL in Microsoft Defender XDR's Advanced Hunting: texttextAlertEvidence | where Timestamp > ago(1h) | where ServiceSource == @"Microsoft Defender for Office 365" | where EntityType == @"Url" | where Title has "Teams" Pipe to email or Teams channels for alerts. Security Teams' Action Items Update SOC docs for Teams message analysis. Introduce new alerts to analysts.

Include KQL in the auto-notification rules. By doing this, a Teams blind spot is closed, improving visibility against malware and phishing. Get More Instant Updates with X, LinkedIn, and LinkedIn. Make ZeroOwl a Google Preferred Source.