KnowBe4 announced in a July 2026 company blog post that its Defend product can now monitor and automatically remediate phishing threats arriving through external Microsoft Teams chats. The move signals a shift in the phishing defense industry, acknowledging that attackers have moved beyond email and are exploiting the trusted collaboration channels that knowledge workers use every day.

KnowBe4 Takes Aim at Teams-Based Phishing

The extension means KnowBe4’s AI-driven detection engine now inspects text, links, and files sent by external contacts in Teams chat conversations. When a malicious message is identified, Defend can quarantine it, alert the targeted user, and notify the security team—all within the Teams interface. According to the announcement, the capability is designed to combat what KnowBe4 describes as a growing wave of “email to chat attacks,” where a threat actor first establishes trust via email and then pivots to a more lightly defended chat platform to deliver payloads or harvest credentials.

For IT administrators, the integration adds a new context-aware policy layer. Defend already provided inline phishing detection in email, SharePoint, and OneDrive, but Teams chat from external domains had been a blind spot. The update fills that gap without requiring a separate console or agent. KnowBe4 says the feature works natively with Microsoft 365’s Graph API, meaning it can pull message content, sender metadata, and even file attachments in real time.

The New Defenses at a Glance

Key capabilities, as detailed by KnowBe4:

  • Real-time scanning of one-on-one and group chats involving an external participant, including guest accounts and federated organizations.
  • Automated remediation actions such as quarantining a malicious link, deleting a dangerous file, or blocking the sender’s domain.
  • User prompting via an adaptive banner that warns a recipient a chat is suspicious and advises against clicking or replying.
  • Integration with KnowBe4’s training modules: if a user interacts with a simulated Teams phishing message, Defend can automatically enrol them in just-in-time training.

For admins, the feature appears in the “Defend Guard” policy builder, where they can set thresholds for automated actions or opt for manual review for certain message classes. A welcome addition is the ability to exclude specific partner domains—useful for organizations that frequently collaborate with trusted external teams.

Who Stands to Benefit

The update affects various user groups differently.

For everyday Windows users — those working in organizations that have licensed KnowBe4 Defend — the protection is largely silent. There’s nothing to install: it works inside the Teams client on Windows, Mac, mobile, and the web. Users may see a notice if a chat is flagged, but otherwise the experience is unchanged. However, if your employer uses KnowBe4, you might receive simulated phishing attempts over Teams as part of your organization’s security training program. Those will be clearly labeled after the interaction.

For IT and security admins, the addition closes a significant visibility gap. Teams has become a primary collaboration tool, and external chat allows anyone with a Microsoft account to message your users unless external access is disabled entirely. Until now, defenders often relied on user reporting and hoped that link-scanning from Safe Links extended to Teams (it does, but only for URLs clicked inside the app, not for direct file shares or credential-harvest messages). With Defend monitoring the chat stream itself, admins gain a centralized remediation workflow that complements Microsoft Defender for Office 365.

For power users and developers, the change introduces a note of caution. Automated scanning of chat content means even benign messages from external partners might occasionally trigger a false positive. If you’re sharing code snippets, URLs, or files with an external collaborator, there’s a small chance a message could be quarantined. KnowBe4’s announcement mentions admin-configured exception lists, so power users might want to request that trusted external domains be whitelisted.

The Road to Chat-Borne Phishing

The challenge isn’t new, but it’s accelerated. Microsoft Teams surpassed 320 million monthly active users in 2024, and external federation is on by default for most tenants. Threat actors have taken note: the FBI’s Internet Crime Complaint Center reported a 27% year-over-year increase in business email compromise (BEC) attacks that involved a secondary communication channel. Often, that channel is Teams or Slack. In a typical “multi-stage” attack, a compromised email account is used to lure a target into a Teams conversation, where the attacker drops a malicious SharePoint link or a voice-note lure pointing to a credential-harvesting page.

Microsoft has responded with its own controls. In 2023, it introduced Teams-specific phishing alerts in Microsoft 365 Defender, and in early 2025, it enabled chat-based isolation for compromised users. However, these native features are only available in the highest-tier E5 and Microsoft 365 Defender for Office 365 Plan 2 subscriptions. Many mid-market and smaller organizations rely on third-party tools for holistic coverage.

KnowBe4 is not the first vendor to extend into Teams. Guardz and Avanan (now part of Check Point) have offered Teams API scanning for some time. But KnowBe4’s move is notable because of its installed base: the company claims over 65,000 customers, many of whom already use PhishER for email incident response. Extending that familiar orchestration layer to Teams reduces the learning curve and operational overhead.

Securing Your Teams Environment Now

If your organization is a KnowBe4 Defend subscriber, here’s a practical checklist:

  1. Verify your Defend license tier. The Teams monitoring feature appears in the “Defend Plus” and higher bundles, according to the blog post. If you’re on the base Defend plan, you may need to upgrade.
  2. Check your Microsoft 365 API permissions. Defend requires Chat.Read.All and Files.Read.All Graph API scopes, along with the ability to write quarantine records. Admins should confirm these are granted in the Azure AD enterprise application.
  3. Review your external access policies in Teams. The feature works only for chats involving external users. If your tenant has restricted external domains, the benefit is narrower. Consider whether you need to expand monitoring to all external interactions or only to specific partner organizations.
  4. Run a simulation. KnowBe4’s integration with its simulated phishing platform means you can send benign test messages to verify that alerts fire and that automated actions behave as expected. Do this before turning on aggressive auto-quarantine.
  5. Communicate the change to users. Even though the protection is transparent, users should understand that Teams chats with outsiders might be flagged and that reporting suspicious messages via the built-in “Report Phishing” button remains best practice.

For organizations not using KnowBe4, the announcement is a reminder to audit Teams external access settings. Many admins are unaware that external access allows anyone with a Microsoft account—including consumer accounts—to initiate a chat with their users. Microsoft’s default settings permit this unless an admin explicitly restricts it under the Teams Admin Center’s “External access” menu. As a stopgap, consider enabling the “External access with allowed domains only” policy, which limits unsolicited messages to a curated list.

What Comes Next

KnowBe4’s blog post hints that further collaboration application integrations are on the roadmap, with Slack mentioned as a likely candidate. Meanwhile, Microsoft is expected to tighten Teams’ native phishing controls in the next Windows 11 feature update, particularly around file sharing from unverified external senders. The cat-and-mouse game between defenders and attackers will only intensify as generative AI makes it easier to craft convincing, context-aware lures that slip past keyword-based filters. For Windows shops, the advice remains: trust but verify—and ensure your security stack can see the threats hiding in plain sight inside the apps your people use every hour of the workday.