Microsoft Teams Enables Security Defaults on January 12

Starting January 12, 2026, Microsoft Teams will automatically enable three security features for organizations that haven't changed their default messaging settings. The update blocks potentially dangerous file attachments, warns users about suspicious links, and adds a way to report false positives when legitimate content gets flagged.

Organizations that previously customized their Teams messaging safety settings won't see any changes. This rollout targets tenants still running with Microsoft's original defaults.

What's Changing

The update activates three features simultaneously:

Weaponizable File Type Protection

Teams will block messages containing file types commonly used in malware attacks. When someone tries to send a dangerous attachment, the entire message—including any text—gets blocked. Senders see a notification explaining why their message was rejected and can edit to remove the problematic file.

The blocked file extensions include executables, scripts, and archive formats attackers frequently weaponize:

Executables: exe, dll, com, scr, pif, msi, msp, mst, msix, appx, app, apk, deb

Scripts: bat, cmd, vbs, vbe, vb, wsc, wsf, wsh, ps1, hta, jnlp

Archives and disk images: iso, img, cab, arj, lha, lzh, ace

Other dangerous types: lnk (shortcuts), reg (registry files), lib, library, sys, ani, elf, macho, kext, dex

The full list covers dozens of extensions security teams have flagged as common attack vectors. Most organizations won't miss these file types in legitimate business communication.

Malicious URL Detection

Links shared in Teams messages will be scanned against known phishing sites and malicious domains. When Teams detects a suspicious URL, it displays a warning label before users can click through.

This builds on Microsoft's existing Safe Links infrastructure but applies specifically to Teams chat and channel messages. The scanning happens in real-time, meaning newly identified threats get caught even in ongoing conversations.

False Positive Reporting

To prevent the security features from blocking legitimate content too aggressively, Microsoft added a feedback mechanism. Users can report when they believe a file or link was incorrectly flagged. These reports feed into Microsoft's detection algorithms to reduce future false positives.

Why Microsoft Made This Change

Teams has become a primary communication channel for many organizations, and attackers have noticed. Phishing campaigns increasingly target Teams messages because employees often trust content from colleagues more than email from external senders.

Weaponizable file attachments in Teams bypass email security controls entirely. An attacker who compromises one account can spread malware directly to that user's contacts without triggering email-based detection. Enabling these protections by default closes a gap that security-conscious organizations had to configure manually.

Who Is Affected

The January 12 rollout applies to tenants meeting both conditions:

1. Using default messaging safety configuration
2. Haven't previously modified settings in Teams admin center

Organizations that previously enabled, disabled, or customized any messaging safety options will see no changes. Microsoft preserves existing configurations.

What Administrators Should Do

If you want the new defaults: No action required. The features will activate automatically.

If you want to opt out: Navigate to Teams admin center > Messaging > Messaging settings > Messaging safety. Review the three options and disable any you don't want. Save your changes before January 12.

If you're unsure of your current settings: Check Teams admin center now. If the settings show as "Off" and you haven't touched them, you're running defaults and will receive the update.

Microsoft recommends administrators also prepare helpdesk staff. Users encountering blocked messages or URL warnings for the first time may need guidance on why content was flagged and how to proceed with legitimate files.

Security Team Considerations

The new defaults provide baseline protection but aren't a complete solution. Security teams should:

1. Review blocked file type list - Determine if any blocked extensions are legitimately used in your organization
2. Configure exceptions if needed - Add approved file types through Teams admin settings
3. Monitor false positive reports - Watch for patterns indicating overly aggressive blocking
4. Update user training - Explain the new warnings and what they mean
5. Integrate with existing DLP - Ensure Teams protections complement your broader data loss prevention strategy

The weaponizable file blocking is particularly useful for preventing lateral movement after initial compromise. An attacker who gains access to one user's Teams account can't easily spread malware to contacts if those file types are blocked by default.

Related Coverage

This update follows Microsoft's broader push to make security features opt-out rather than opt-in. The Tycoon2FA campaign we covered recently demonstrated how attackers exploit Microsoft services—making default protections increasingly important for organizations that don't have dedicated security staff to configure optimal settings.