Microsoft Teams Will Strip EXIF Data From Shared Images

Microsoft has announced a significant update for its Teams platform, a move aimed at enhancing corporate privacy and operational security.

As part of the March 2026 feature rollout, Microsoft Teams will now automatically remove EXIF metadata from all images shared across chats and channels.

This privacy-by-default measure aims to protect users from unintentionally leaking sensitive location and device information to internal colleagues, external guest partners, or potential threat actors.

The Hidden Threat of EXIF Metadata

EXIF data is hidden text embedded inside digital photos. When capturing a picture, the file quietly records highly specific details.

This metadata often includes the exact GPS coordinates of where the photo was taken, the specific date and time, the device model, and the operating system version.

From a cybersecurity perspective, this hidden data is a goldmine for Open Source Intelligence (OSINT) gathering.

If an employee shares a seemingly harmless photo of their home office or a business trip, the embedded EXIF data could expose their residential address or real-time travel movements.

Cybercriminals frequently weaponize this metadata to craft targeted social engineering attacks or track high-value targets.

Recognizing this silent vulnerability, Microsoft has made EXIF data scrubbing a default, unchangeable feature in Teams.

Whenever a user uploads a photograph to a direct chat or a wider company channel, the platform automatically strips away the GPS location and device forensics before the image ever reaches the recipient.

Users no longer need to manually sanitize photos before sharing them. By automatically enforcing this security control at the platform level, Microsoft ensures that sensitive physical data remains private.

Employees can now share visual updates with absolute confidence, without risking accidental intelligence leaks.

If users have legitimate reasons to share original metadata, they must use an alternative method, such as a OneDrive sharing link.

Stricter Web Security Requirements

Other fundamental security updates for Teams accompany this EXIF data removal. Furthermore, Microsoft is tightening its technical requirements for web users.

By May 15, 2026, Teams on the web will strictly mandate the use of modern browsers that are ECMAScript 2022 (ES2022) compliant.

This forced phase-out of older, outdated browsers will help close legacy security loopholes and ensure all users operate within a hardened web environment.

For cybersecurity professionals, these updates represent a highly welcome shift toward secure-by-design principles.

Automatically stripping EXIF data might seem like a minor technical tweak, but it effectively eliminates a persistent blind spot in corporate communications.

As remote work thrives, these automated safeguards are essential for protecting enterprise privacy.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.