5 New-ish Microsoft Security Features & What They Reveal About Today’s Threats
Microsoft just announced a series of new-ish security features rolling out across Microsoft 365 in 2026. Some are genuinely new. Others are expanded, refined, or newly available to a wider set of customers. Taken together, they tell a very clear story about where attackers are succeeding today.
Attackers aren’t waiting for patch cycles or roadmap updates. They’re exploiting collaboration tools, identity workflows, and AI-powered productivity features right now—often by abusing trust rather than technical vulnerabilities.
In a recent Cyberside Chats episode, we broke down five of Microsoft’s most important upcoming security changes and what they reveal about the modern threat landscape. These updates aren’t theoretical defenses for future risks; they’re responses to attacker behavior we’re already seeing in incident response, tabletop exercises, and real-world breaches.
Below, we unpack what these updates are, why Microsoft is prioritizing them, and what CISOs, security leaders, and IT teams should be planning for as they head into 2026—even if Microsoft 365 isn’t your primary platform.
Collaboration Tools Are Now the Front Line
Email is no longer the primary battleground.
Attackers are shifting to Microsoft Teams, Slack, Zoom, Google Chat, and other collaboration platforms because employees inherently trust them more. Messages feel internal. Calls feel legitimate. Requests feel routine.
As discussed on the podcast, attackers are intentionally targeting collaboration tools because people tend to trust those communications more than traditional email. That trust gap is exactly what adversaries exploit.
This trend is backed by research. In 2025, Check Point documented how Microsoft Teams vulnerabilities enabled impersonation, spoofed notifications, and forged caller identities. While those issues have since been patched, the broader lesson remains unchanged: attackers go where trust already exists.
A separate 2025 academic phishing study analyzed more than 13,000 simulated attacks and found that internal-looking messages, personalization, and emotional cues significantly increase user susceptibility. These findings help explain why collaboration platforms—which inherently feel internal and familiar—have become such attractive targets.
Microsoft’s recent security updates clearly reflect this shift in attacker behavior.
Microsoft’s 5 New-ish Security Features Your Organization Should Implement
1) Suspicious Call Reporting in Teams: Closing a Longstanding Gap
One of the most impactful updates is suspicious call reporting in Microsoft Teams.
For the first time, users can flag unusual or suspicious Teams calls directly within the interface. Those reports feed into Microsoft’s detection systems to help identify malicious calling patterns.
This matters because Teams-based impersonation attacks are no longer edge cases. Over the past year, we’ve seen attackers pose as IT staff, HR, vendors, and executives via Teams calls—often following email bombing or MFA-fatigue campaigns. In one real-world scenario discussed on Cyberside Chats, an attacker nearly gained remote access by impersonating the help desk before endpoint controls stopped the attack.
This attack pattern is becoming so common that we’ve published a short explainer on how email bombing and IT helpdesk spoofing attacks frequently serve as the entry point into Teams-based social engineering.
Even for organizations that don’t use Microsoft 365, the lesson is universal: employees need an easy, intuitive way to report suspicious voice and chat interactions inside collaboration tools—not just email.
2) Expanded Defender for Office 365 Protections: Raising the Baseline
Microsoft is expanding Defender for Office 365 protections into lower licensing tiers, including Safe Links, anti-phishing, and collaboration-app protections.
“This is a lot like sprinklers in apartment buildings,” Sherri Davidoff, founder of LMG Security, said on the podcast. “Not everyone can afford critical security features at market prices, but that increases the risk that the whole building will burn down. When baseline protections are widely deployed, everyone is safer.”
For many organizations, this change represents a meaningful improvement in default protections—assuming these features are actually enabled and configured correctly. It also signals Microsoft’s recognition that collaboration platforms need the same level of baseline defense that email has had for years.
3) Monitoring External Collaboration: A Familiar Defensive Pattern
Another major update is Microsoft’s External Domains Anomalies Report for Teams. This admin-facing feature helps identify unusual cross-tenant behavior, such as new external domains, unexpected spikes in communication, or abnormal interaction patterns.
As Matt Durrin noted during the episode, this rollout mirrors how Microsoft previously responded to MFA-fatigue attacks. “It reminds me of when Microsoft rolled out number matching,” he said. “That wasn’t theoretical—it was a direct response to how attackers were actually bypassing MFA in the real world.”
The same logic applies here. Attackers are spinning up fake tenants, impersonating vendors, and abusing external collaboration features. Microsoft is responding by giving defenders better visibility into how collaboration is actually being used.
The broader takeaway applies across platforms. Slack Connect, Google Workspace sharing, and Zoom chat all introduce similar risks and deserve similar monitoring.
4) Copilot Agent Mode: AI Productivity Meets Data Exposure
AI didn’t quietly slip into the enterprise—it arrived embedded in everyday workflows.
With Copilot Agent Mode, Microsoft is enabling AI to perform multi-step tasks across Word, Excel, Outlook, Teams, and SharePoint. Copilot inherits user permissions, meaning it can access whatever the user can.
That power comes with real risk.
As discussed on the podcast, Copilot doesn’t necessarily need access to everything a user can access—without proper data classification and sensitivity labels, it may act on or summarize information that was never intended to be broadly exposed.
This challenge isn’t unique to Microsoft. Gemini, Slack GPT, and other AI assistants behave similarly. Organizations that haven’t invested in data governance are now seeing those gaps amplified by AI.
5) Tenant Restrictions v2: Identity Is the New Perimeter
Microsoft’s Tenant Restrictions v2 in Edge for Business adds browser-level enforcement to block logins to unapproved Microsoft 365 tenants.
Why does this matter?
Because many data-leakage incidents today don’t involve malware at all. They involve users signing into personal accounts, uploading corporate files to unapproved tenants, or falling for look-alike identity attacks.
Tenant restrictions help enforce identity boundaries—reinforcing a broader shift in security strategy: identity is now the primary perimeter, not the network.
What Security Leaders Should Take Away
Microsoft’s roadmap reflects where attackers are applying pressure today and where defenders need to adapt for 2026:
- Collaboration platforms are high-risk communication channels
- Identity boundaries matter more than network boundaries
- AI amplifies both productivity and exposure
- Configuration gaps—not zero-days—drive many incidents
These are not Microsoft-specific problems. They are modern enterprise security problems.
A Practical Next Step
At LMG Security, we see these issues surface repeatedly during tabletop exercises and security program reviews.
If your organization is rolling out AI assistants, expanding collaboration tools, or re-evaluating identity controls for 2026, a targeted tabletop exercise or configuration review can help identify gaps before attackers exploit them. Let’s connect and discuss how we can help.
Modern attacks move quickly. The organizations that fare best are the ones that test assumptions, validate controls, and adapt before an incident forces the issue.
