Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Microsoft Teams has 320 million daily active users, and attackers know it. According to UC Today’s 2026 security report, 57% of organizations now rank collaboration platforms like Teams as the biggest security risk in their tech stack—ahead of email. That’s because Teams handles chat, files, meetings, and voice calls in one place. If an attacker gets in, they’ve got access to everything.
This guide covers the security settings most Canadian businesses never configure, the attacks targeting Teams right now, and a 10-point hardening checklist you can hand to your IT team today.
KEY TAKEAWAYS
- 57% of organizations identify collaboration tools as their top security risk (UC Today, 2026). Teams is the most targeted platform due to its deep Microsoft 365 integration.
- As of January 2026, Microsoft enabled weaponizable file type blocking and malicious URL scanning by default—but most other security settings still require manual configuration.
- Russian threat group Storm-2372 has been targeting organizations through fake Teams meeting invites since August 2024 (Microsoft Security Blog).
- Microsoft 365 Business Premium ($22 CAD/user/month) includes conditional access, DLP, and sensitivity labels sufficient for PIPEDA compliance—but only if configured correctly.
Why Is Microsoft Teams a Growing Security Target?
Microsoft Teams isn’t just a chat app—it’s a gateway to your entire Microsoft 365 environment. Teams connects to SharePoint, OneDrive, Outlook, and Entra ID. Compromise one Teams account, and an attacker can access shared files, calendar data, email, and internal communications. That’s why threat actors are shifting from email-only phishing to Teams-based social engineering.
According to Check Point Research, four vulnerabilities discovered in 2025 allowed attackers to impersonate executives, manipulate messages, alter notifications, and forge identities in video and audio calls. Microsoft patched these by October 2025, but the pattern is clear: Teams is now a primary attack surface.
The numbers back this up. Microsoft’s own security team documented the Russian-linked group Storm-2372 using fake Teams meeting invitations to target government agencies, NGOs, and critical infrastructure since August 2024. In November 2025, Microsoft’s DART team uncovered a Teams vishing campaign where attackers impersonated IT support through voice calls inside Teams itself.
What Security Settings Does Microsoft Teams Include?
Teams inherits its security foundation from the broader Microsoft 365 platform: multi-factor authentication, conditional access policies, data loss prevention, and encryption in transit and at rest. But the Teams-specific settings that control guest access, external communication, file sharing, and meeting policies require separate configuration in the Teams Admin Center.
As of January 12, 2026, Microsoft switched several protective settings to “on” by default, according to Cybersecurity News:
- Weaponizable File Type Protection—blocks messages containing high-risk file extensions (.exe, .scr, .bat, .cmd)
- Malicious URL Protection—scans shared links in real-time to detect phishing sites
- EXIF Metadata Stripping—automatically removes location and device data from shared images
These defaults are a start, but they don’t cover guest access controls, external messaging policies, DLP rules, or meeting security—all of which remain off or permissive by default.
What’s Still Your Responsibility to Configure
| Setting | Default | Recommended | Risk If Ignored |
|---|---|---|---|
| Guest access | On | On with restrictions | Unvetted users access internal files |
| External messaging | Open to all | Allow-list only | Phishing via external chat |
| Third-party file storage | On (Dropbox, Box, etc.) | Off | Data leaks to unmanaged storage |
| Meeting lobby | Everyone | Org users only bypass | Unauthorized meeting access |
| DLP policies | Not configured | Active on chat + channels | Sensitive data shared in chat |
| Channel email ingestion | Open | Restrict to approved domains | External email injected into channels |
The 10-Point Teams Security Hardening Checklist
Fusion Computing uses this checklist when onboarding new managed IT clients to Microsoft 365. It’s the same framework we apply across our 200+ Canadian endpoints. Each control maps to a real attack vector we’ve seen in the wild.
- Enforce MFA on every account. This isn’t optional. Multi-factor authentication blocks 99.9% of automated credential attacks. Use Microsoft Authenticator or FIDO2 keys—not SMS.
- Enable conditional access policies. Block sign-ins from unmanaged devices, unfamiliar locations, and non-compliant endpoints. This requires Entra ID P1 (included in Business Premium).
- Restrict external messaging to allow-listed domains. Don’t let anyone outside your organization send Teams messages to your staff. The “Chat with Anyone” feature rolled out in January 2026 expands this attack surface significantly.
- Disable third-party file storage. Block Dropbox, Google Drive, and Box inside Teams. Force all file sharing through SharePoint and OneDrive where your DLP and compliance policies apply.
- Configure meeting lobby controls. Only authenticated internal users should bypass the lobby. External guests wait for admission. This prevents meeting hijacking and eavesdropping.
- Deploy DLP policies on Teams chat and channels. Block sharing of credit card numbers, SINs, health records, and other sensitive data in chat. Microsoft Purview DLP integrates natively with Teams.
- Restrict guest access permissions. Guests shouldn’t be able to create channels, delete content, or access the full membership list. Scope their permissions to what they actually need.
- Block channel email from unapproved domains. Teams channels can receive email. Restrict this to your own domain and trusted partners—otherwise it’s a phishing vector.
- Enable audit logging and alerts. Stream Teams activity logs to Microsoft Sentinel or your SIEM. Set alerts for mass file downloads, unusual login patterns, and privilege escalations.
- Train employees on Teams-specific phishing. Staff need to recognize fake IT support calls inside Teams, external message warnings, and suspicious file-sharing requests. This isn’t covered by generic security awareness training—it requires Teams-specific scenarios.
How to Protect Microsoft Teams from Phishing and Social Engineering
Teams phishing doesn’t look like email phishing. It’s faster, more personal, and harder to spot because employees trust messages from within their collaboration platform more than email. According to a 2025 survey cited by Rocket.Chat, 79% of security leaders say collaboration tools create new threat vectors their teams aren’t prepared for.
The Three Teams Attack Patterns You Need to Know
1. Fake IT support calls (vishing). In the campaign Microsoft documented in March 2026, attackers called employees through Teams pretending to be the help desk, then walked them through installing remote access tools. The attack worked because Teams voice calls feel internal and trustworthy.
2. External message phishing. With the “Chat with Anyone” feature, external users can now message employees directly using just an email address. CyberPress researchers documented attackers using this to initiate chats posing as vendors, then sending malicious links.
3. Meeting invite spoofing. Storm-2372 sends fake Teams meeting invitations containing device code phishing links. The invite looks legitimate, but clicking “Join Meeting” redirects to a credential harvesting page.
What Your MSP Should Configure
Your managed IT provider should have these controls active: Microsoft Defender for Office 365 Safe Links scanning inside Teams messages, Microsoft Defender for Cloud Apps monitoring for impossible-travel sign-ins, and automated session revocation when a device falls out of compliance. If your provider hasn’t configured these, they’re leaving a gap you won’t see until it’s too late.
It’s also worth noting that Teams isn’t the only collaboration vector attackers use. They’ll pivot between email, Teams, and even SMS in the same campaign. That’s why infrastructure security and zero trust architecture matter—they don’t treat any single channel as inherently trusted. Your IT strategic plan should treat collaboration platform security as a dedicated line item, not an afterthought.
Get a Custom IT Assessment for Your Business
Guest Access and External Communication: Getting the Balance Right
Guest access in Teams is useful—clients, contractors, and partners need to collaborate. But unrestricted guest access is how data leaks happen. Here’s how to set it up without creating security gaps.
Guest Access Best Practices
- Enable guest access but disable guest ability to create teams, channels, or apps
- Set guest access expiration—guests should be automatically removed after 30-90 days unless re-invited
- Disable screen sharing for guests by default (enable per-meeting when needed)
- Use sensitivity labels to prevent guests from accessing confidential channels
- Review guest access quarterly—most organizations have dozens of stale guest accounts with active access
External Communication Controls
External access (federation) lets your users chat with people at other organizations. This is different from guest access—it’s a persistent communication channel. For most SMBs, the safest approach is to restrict federation to an allow-list of specific domains (clients, partners, vendors) rather than leaving it open to the world. If you aren’t sure which domains should be on the list, start with the organizations you’ve actually done business with in the last 12 months—you’ll find it’s a shorter list than you’d expect. Your managed IT provider can pull this from your Entra ID sign-in logs and set up the allow-list in under an hour.
Microsoft Teams and PIPEDA Compliance for Canadian Businesses
Canadian organizations handling personal information must comply with PIPEDA. Microsoft 365 provides the technical controls needed for compliance, but the configuration is your responsibility—not Microsoft’s.
Data Residency
Microsoft stores Canadian customer data at rest in its Toronto and Quebec City data centres, according to Microsoft’s compliance documentation. This addresses the data residency requirements in PIPEDA and provincial privacy laws like Ontario’s PHIPA and Alberta’s HIA.
Key PIPEDA Controls in Teams
| PIPEDA Principle | Teams/M365 Control | License Required |
|---|---|---|
| Safeguards (Principle 7) | Encryption, MFA, conditional access | Business Premium |
| Limiting Use (Principle 5) | DLP policies, sensitivity labels | Business Premium |
| Retention (Principle 5) | Retention policies, eDiscovery | E3+ |
| Accountability (Principle 1) | Audit logs, compliance manager | Business Premium |
| Access (Principle 9) | Content search, subject access requests | E3+ |
For most Canadian SMBs under 300 users, Microsoft 365 Business Premium at $22 CAD/user/month provides sufficient controls for PIPEDA compliance. Organizations in healthcare (PHIPA) or finance (OSFI) may need E3 or E5 for advanced retention and insider risk management.
Which Microsoft 365 License Gets You What Security Features?
This is where most SMBs get confused. Not every M365 license includes the same Teams security features. Here’s what you actually get at each tier:
| Feature | Business Basic | Business Premium | E3/E5 |
|---|---|---|---|
| Teams chat + meetings | Yes | Yes | Yes |
| MFA + security defaults | Yes | Yes | Yes |
| Conditional access | No | Yes | Yes |
| Intune MDM/MAM | No | Yes | Yes |
| DLP for Teams | No | Basic | Advanced |
| Defender for Office 365 | No | Plan 1 | Plan 1/2 |
| Sensitivity labels | No | Yes | Yes |
| eDiscovery + advanced audit | No | No | Yes |
| Insider risk management | No | No | E5 only |
Bottom line: If you’re on Business Basic, you don’t have conditional access, DLP, or Defender—which means most of the hardening checklist above can’t be implemented. Business Premium is the minimum viable security tier for any organization that handles sensitive data.
Is Your Microsoft Teams Environment Secure? A Quick Self-Check
- Is MFA enforced on every account that accesses Teams? (If no, fix this today.)
- Can external users message your employees in Teams? (If yes and unrestricted, you’re exposed to phishing.)
- Are third-party file storage providers (Dropbox, Box) disabled inside Teams? (If no, data’s leaking to unmanaged storage.)
- Do you have DLP policies active on Teams chat and channels? (If no, sensitive data can be shared freely.)
- Are guest accounts reviewed and expired quarterly? (If no, stale guests have active access.)
- Can anonymous users join meetings without the lobby? (If yes, anyone can eavesdrop.)
- Have employees been trained on Teams-specific phishing? (If no, they won’t recognize vishing attacks.)
- Are Teams audit logs streaming to a SIEM or monitored by your MSP? (If no, you won’t know when something goes wrong.)
Score: 6+ “no” answers means your Teams environment needs immediate hardening. 3–5 means you’ve got partial coverage with gaps. 0–2 means you’re ahead of most Canadian SMBs—but verify with a formal cybersecurity assessment.
Fusion Computing secures Microsoft Teams environments for Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver. We handle the conditional access policies, DLP configuration, guest access controls, and ongoing monitoring so your team can collaborate without creating security gaps.
Related Resources
- Cybersecurity Services for Canadian Businesses
- Multi-Factor Authentication for Business
- Mobile Device Management: The Complete MDM Guide
- Data Security vs Compliance: What Businesses Get Wrong
- PIPEDA Compliance for Canadian Small Businesses
- Copilot vs ChatGPT vs Claude for Business
- Cyber Insurance Checklist for Canadian Businesses
- Cybersecurity Awareness Training for Small Business
Frequently Asked Questions
Is Microsoft Teams secure for business use?
Microsoft Teams is secure by design—it uses encryption in transit and at rest, integrates with Entra ID for identity management, and supports conditional access policies. However, many security features require manual configuration in the Teams Admin Center. Out-of-the-box Teams is usable but not hardened. The 10-point checklist in this guide covers the settings most organizations miss.
What are the biggest security risks in Microsoft Teams?
The top risks are external message phishing (attackers sending chat messages posing as vendors or IT support), uncontrolled guest access (stale guest accounts with file access), and meeting hijacking (unauthorized attendees bypassing the lobby). In 2025, Microsoft documented nation-state groups using fake Teams meeting invites for credential theft.
How do I prevent phishing attacks in Microsoft Teams?
Restrict external messaging to an allow-list of trusted domains, enable Microsoft Defender for Office 365 Safe Links scanning inside Teams, configure meeting lobby controls to block anonymous users, and train employees on Teams-specific vishing attacks. The January 2026 default protections block weaponizable file types and malicious URLs automatically.
Does Microsoft Teams comply with PIPEDA?
Microsoft 365 provides the technical controls needed for PIPEDA compliance, including encryption, access controls, DLP, and audit logging. Microsoft stores Canadian data at rest in Toronto and Quebec City data centres. However, compliance responsibility lies with your organization—you need to configure the controls, not just purchase the license.
Which Microsoft 365 license do I need for Teams security?
Microsoft 365 Business Premium ($22 CAD/user/month) is the minimum tier for meaningful Teams security. It includes conditional access, Intune MDM, basic DLP, Defender for Office 365 Plan 1, and sensitivity labels. Business Basic lacks these controls. E3/E5 adds advanced audit, eDiscovery, and insider risk management for regulated industries.
How do I secure guest access in Microsoft Teams?
Enable guest access but restrict guest permissions: disable channel creation, content deletion, and full member list access. Set automatic guest expiration after 30-90 days. Use sensitivity labels to prevent guests from accessing confidential channels. Review guest accounts quarterly to remove stale access.
Should I disable the “Chat with Anyone” feature in Teams?
For most businesses, yes—or at minimum restrict it. The “Chat with Anyone” feature, rolled out globally in January 2026, lets external users message employees using just an email address. Security researchers have flagged it as a phishing vector. If your organization doesn’t need ad-hoc external chat, disable it and use guest invitations or federated domains instead.
About the Author
Mike Pearlstein is CEO of Fusion Computing and holds the CISSP, the gold standard in cybersecurity certification. He has led Fusion’s managed IT and cybersecurity practice since 2012, serving Canadian businesses across Toronto, Hamilton, and Metro Vancouver.
External Sources:
- Microsoft Security Blog: Disrupting Threats Targeting Microsoft Teams (2025)
- Check Point Research: Microsoft Teams Impersonation Vulnerabilities (2025)
- Microsoft DART: Teams Voice Phishing Campaign (2026)
- Cybersecurity News: Teams Messaging Safety Defaults (2026)
- UC Today: 2026 Security and Compliance Shifts
- Microsoft: Canada Privacy Laws Compliance (Azure)
- DemandSage: Microsoft Teams Statistics (2026)
- Rocket.Chat: Secure Collaboration Strategies (2025)
- CyberPress: Teams “Chat with Anyone” Security Concerns
