Brand Impersonation Protection for Teams Chat

Scammers are getting smarter, impersonating trusted brands to steal sensitive information. One wrong click could put your organization at risk! But don’t worry—Microsoft Teams is stepping up with brand impersonation protection for chats to keep you safe. This new feature is designed to prevent spam or phishing attempts from external chats in Microsoft Teams.

The rollout of this feature began in mid-November 2024 and is expected to be completed by mid-February 2025 (MC910976). Let’s take a deep dive into the feature!

Brand impersonation happens when attackers pretend to be trusted brands or individuals to trick victims into sharing confidential data. These attacks often involve phishing emails, fake login pages, or fraudulent customer support messages. Cybercriminals use brand impersonation to create realistic scenarios, leading users to click malicious links or share credentials.

With the widespread adoption of Microsoft Teams for business communication, impersonation risks have extended to Teams chat. Attackers may create lookalike domains or use slightly altered brand names to send fraudulent messages, aiming to steal sensitive information or spread malware. To stop such things, this new feature has been introduced which helps to prevent phishing attempts in external collaboration.

Microsoft Teams’ brand impersonation protection is designed to identify and alert users about external attackers impersonating trusted brands and messaging via Teams chat. Here’s how it works to help users avoid these attacks:

1. First, Teams automatically scan external messages to detect potential brand impersonation.
2. Then, if an external sender seems suspicious, Teams alerts the user.
3. Finally, before engaging, the user receives a second warning to reinforce the risk.

As we all know, to send or receive messages from external domains in Teams, your organization must enable “Allow all domains” in the Teams external access settings.

Previously, Teams only displayed a general warning when users received external messages, without verifying potential impersonation threats. Now, with the brand impersonation protection feature, Microsoft Teams enhances security by identifying and alerting users to potential impersonation attempts. Let’s look at how the user experience is going to be changed before and after this update in detail.

Before the Rollout:

Previously, when users received messages from external domains, Microsoft Teams displayed a simple warning: “This person is from outside your organization”. However, it did not verify whether the sender was impersonating a trusted brand. Users had to rely on their own judgment to assess potential risks and can accept, block, or delete chat requests from people outside their organization in Microsoft Teams. This makes them more vulnerable to spam or phishing attempts from external chats in Microsoft Teams.

After the Rollout:

With the new brand impersonation protection feature for Teams chat, the process becomes more secure:

• When an external user messages a Teams user for the first time, Teams will analyze the sender’s details (such as their name and email address) to detect potential impersonation attempts.
• If a brand impersonation attempt is detected, users will see a high-risk alert with three key warnings:
  • Their name or email is suspicious.
  • You’ve never communicated with them before.
  • They’re outside your organization.

• If the user chooses to accept the message after previewing it, a second warning will appear, reinforcing the potential risk. Then, the user can make a final decision on whether to proceed with the conversation or not.

Important: After this rollout, admins will be able to track brand impersonation attempts using Microsoft 365 audit logs. This provides greater visibility into potential threats, allowing admins to monitor suspicious activity more effectively.

Prevention is key! Before your organization falls victim to brand impersonation, take one of these three proactive steps to enhance security and stay protected. Here’s how:

1. Block All External Domains: If your organization only operates internally and has no need to communicate with external vendors or partners outside your domain, then you can disable external access in Microsoft Teams to eliminate the risk of impersonation attacks.

2. Allow Only Trusted External Domains: Some organizations must collaborate with specific external partners, such as third-party vendors, consultants, or business clients. In such cases, instead of allowing all external domains, admins can configure Teams to permit only those trusted domains.

3. Block Suspicious or Untrusted Domains: If your security team identifies a domain frequently used in phishing attempts or impersonation attacks, you can block it from organizational settings in Microsoft Teams.

1. How to enable brand impersonation protection for teams chat?

The feature will be automatically enabled by Microsoft as part of the rollout. No manual action is required from admins or users to enable it.

2. What do admins need to do to prepare for brand impersonation protection?

Admins should educate users about the new high-risk Accept/Block screen and remind them to verify external senders before engaging.

In conclusion, this new brand impersonation protection for Teams chat helps users stay vigilant against phishing attacks while ensuring Microsoft Teams security. Organizations should take proactive steps in educating employees on these security enhancements to maximize protection. If you have any queries, please reach us through the comment section.