Services
Affected Platforms
Summary
Microsoft Defender for Office 365 URL click alerts will now include Microsoft Teams, enabling detection of malicious link clicks in Teams messages. This feature, rolling out from February to May 2026, enhances alert visibility and investigation in the Defender portal for licensed organizations, with no user workflow changes.
Details
Introduction
We’re extending Microsoft Defender for Office 365 (MDO) URL click alerting to Microsoft Teams, giving security teams greater visibility into potentially malicious activity beyond email. By surfacing alerts when users click malicious or suspicious links in Teams messages, organizations can detect threats earlier, investigate faster, and respond more effectively—all from the Microsoft Defender portal.
This message is associated with Microsoft Roadmap ID 557549.
When this will happen:
- Public Preview (Worldwide): We will begin rolling out late February 2026 and expect to complete by early March 2026.
- General Availability (Worldwide): We will begin rolling out early March 2026 and expect to complete by mid-March 2026.
- General Availability (GCC, GCCH, DoD): We will begin rolling out early May 2026 and expect to complete by late May 2026.
How this affects your organization:
Who is affected:
- Organizations licensed for Microsoft Defender for Office 365 Plan 2
- Organizations licensed for Microsoft 365 E5
- Security admins and SOC teams monitoring alerts in the Microsoft Defender portal
- Users who send or receive Microsoft Teams messages containing URLs
What will happen:
- Two existing MDO alerts will now also trigger for Microsoft Teams URL clicks, in addition to email:
- A user clicked through to a potentially malicious URL
- A potentially malicious URL click was detected
- Alerts will appear on the Defender alerts page alongside existing alerts.
- Alerts will include the associated Teams message as evidence, providing richer investigation context.
- Teams signals will be included in incident correlation, helping connect related activity across email and Teams.
- Incident pages will surface Teams message data directly, reducing the need to switch investigation contexts.
- Automated investigation and response (AIR) will not be supported for the Teams URL click alerts.
- The feature is enabled by default for eligible tenants.
- No changes are made to user workflows.
What you can do to prepare:
- No action is required. The feature is automatically enabled for eligible tenants.
- Review alert workflows and incident response playbooks.
- Inform SOC and helpdesk teams about Teams-based alerting.
Learn more:
Alert policies in the Microsoft Defender portal | Microsoft Learn (will be updated before rollout)
Compliance considerations:
| Question | Explanation |
|---|---|
| Does the change alter how existing customer data is processed, stored, or accessed? | Microsoft Teams message data is accessed and surfaced as evidence within Microsoft Defender for Office 365 alerts and incidents when users click malicious or suspicious URLs. |
| Does the change alter how admins can monitor, report on, or demonstrate compliance activities? | Security admins gain additional alerting and investigation signals related to Microsoft Teams URL clicks within the Microsoft Defender portal, enhancing monitoring and incident correlation. |