Detect Microsoft Teams Attackers via External Domain Anomal

Microsoft is rolling out the External Domains Anomalies Report, a new security feature for Teams, designed to help IT administrators identify and respond to suspicious external communications before they escalate into data breaches.

This proactive monitoring tool, scheduled for global deployment in February 2026, addresses a critical security gap as threat actors increasingly exploit Teams for social engineering campaigns.

The External Domains Anomalies Report uses pattern analysis to establish baselines of normal communication behavior and flags deviations that could indicate security concerns.

The system monitors three key indicators: sudden spikes in messaging volume with external parties, first-time communications with previously unknown domains, and unusual engagement patterns that deviate from established norms.

When anomalies are detected, administrators receive actionable insights through a dedicated report, enabling security teams to investigate risky interactions before they result in data exfiltration incidents.

This feature arrives as threat actors like Black Basta have intensified social engineering attacks through Microsoft Teams.

Black Basta has been observed flooding victim inboxes with thousands of emails, then using Microsoft Teams chats to pose as IT help desk staff and convince users to install remote desktop support tools like AnyDesk, ultimately gaining remote access to their machines.

In late October 2024, the ransomware group added targeted users to Microsoft Teams chats with external users operating from newly created Entra ID tenants designed to appear as legitimate support staff.

The External Domains Anomalies Report will initially roll out to standard multi-tenant environments on the web platform starting February 2026 under Roadmap ID 536572.

Organizations can enable this feature through the Teams admin center by navigating to Notifications & alerts > Rules, selecting External domain anomalies, changing the status to Active, and choosing a Teams channel to receive alert notifications.

This capability builds on earlier Teams security enhancements, including warnings for malicious URLs and blocking risky file types in chats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.