MC1187679 – Microsoft Teams: Protection against tenant-owned domain impersonation in Teams chat

Product:

Teams

Platform:

Android, iOS, Mac, Online, Web, Windows Desktop, World tenant

Status:

Launched

Change type:

New feature, User impact, Admin impact

Links:

526780

Details:

Summary:
Microsoft Teams will soon detect and warn users of tenant-owned domain impersonation in external chats, displaying high-risk alerts when suspicious. This feature, enabled by default for organizations allowing external access, launches December 2025 across all platforms with no admin controls or required actions.

Details:
[Introduction:]
Coming soon to Microsoft Teams: A new security feature to enhance external collaboration. If your organization allows external domains to contact users in Teams, we will identify if an external user is impersonating a domain owned by your tenant during their initial contact through Teams chat. If we detect potential impersonation, we will show a high-risk alert to the user, notifying them to check for suspicious name/email and proceed with caution.
This message is associated with Microsoft 365 Roadmap ID 526780.
[When this will happen:]
General Availability: Begins in early December 2025 and expected to complete by mid-December 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability

Created:
2025-11-19

updated:
2025-11-19

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Experience Impact
Users may experience confusion or frustration due to frequent high-risk alerts when external contacts attempt to impersonate their domain, potentially leading to delays in communication.
   - roles: End Users, Customer Support Representatives
   - references: https://learn.microsoft.com/microsoftteams/security-compliance-overview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=526780

Operational Impact
Increased workload for customer support as users may require assistance in understanding and responding to impersonation alerts, leading to longer resolution times for user queries.
   - roles: Customer Support Representatives, IT Support Staff
   - references: https://learn.microsoft.com/microsoftteams/security-compliance-overview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=526780

Training and Awareness Impact
Users may need additional training to understand the new impersonation alerts and how to respond appropriately, which could lead to temporary inefficiencies in communication.
   - roles: End Users, Training Coordinators
   - references: https://learn.microsoft.com/microsoftteams/security-compliance-overview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=526780

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced User Training and Awareness Programs
With the introduction of high-risk alerts for domain impersonation, there is an opportunity to enhance user training and awareness programs. Educating users on recognizing phishing attempts and the importance of validating external contacts can significantly improve the overall security posture of the organization.
   - next-steps: Develop a training module focusing on recognizing phishing attempts, utilizing the new Teams feature as a case study. Schedule regular training sessions and create informative materials to distribute to users.
   - roles: IT Security Manager, Training Coordinator, HR Manager
   - references: https://www.microsoft.com/security/blog/2021/03/30/how-to-protect-your-organization-from-phishing/, https://www.csoonline.com/article/3534303/how-to-educate-employees-about-phishing.html

Improved Incident Response Procedures
The automatic detection of impersonation attempts provides an opportunity to refine incident response procedures. By integrating the insights gained from the audit logs of impersonation attempts, the IT department can develop more proactive and targeted responses to potential security threats.
   - next-steps: Review current incident response protocols and integrate findings from Teams' audit logs. Conduct a workshop with the IT security team to outline the updated response strategies based on new insights.
   - roles: IT Security Manager, Incident Response Team Lead, Compliance Officer
   - references: https://www.csoonline.com/article/3534303/how-to-improve-your-incident-response-plan.html, https://www.sans.org/white-papers/37141/

Audit Log Analysis for Continuous Improvement
With the ability to review audit logs for impersonation attempts, there is an opportunity to analyze these logs to identify patterns or trends in phishing attempts. This analysis can help in refining security measures and user training programs, ultimately leading to better protection against future threats.
   - next-steps: Set up a regular schedule for reviewing audit logs and analyzing data for trends. Use findings to adjust security policies and user training initiatives as necessary.
   - roles: IT Security Analyst, Data Analyst, Compliance Officer
   - references: https://www.microsoft.com/security/blog/2021/03/30/how-to-improve-your-security-posture-with-audit-logs/, https://www.csoonline.com/article/3534303/how-to-use-audit-logs-to-improve-security.html

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft Teams is introducing a new security feature designed to protect users from potential impersonation threats when chatting with external contacts. Imagine this as a security guard at the entrance of a building, checking IDs to ensure that people entering are who they claim to be. This feature will automatically alert users if someone from outside the organization tries to impersonate a domain that belongs to the user's company.

For example, if your company's domain is "fabrikam.com" and you receive a message from someone using "fabrikarn.com," Teams will flag this as suspicious. This is similar to noticing a small but crucial difference in a person's ID, like a misspelled name, which could indicate a fake identity.

When Teams detects such a potential impersonation, it will display a warning message, much like a security alert, advising users to be cautious. Users will then have the option to preview the message safely before deciding whether to accept or block the contact. This is akin to having a conversation through a secure glass window before deciding to let someone into the building.

This feature will be enabled by default for all organizations that allow external access in Teams, and no additional setup or action is required from administrators. It's like having a built-in security system that operates automatically without needing any manual adjustments.

The aim is to provide an extra layer of protection against phishing attempts, ensuring that users can communicate safely and confidently with external contacts. This feature will be available across all platforms, including Android, iOS, Mac, and web versions of Teams, ensuring consistent security measures no matter how users access their Teams account.