Table of Contents
Weaponized File Protection and Malicious URL Protection Rolling Out Now
The best thing about a technology conference are the people you meet. Even though I didn’t particularly like the Microsoft Ignite 2025 conference in San Francisco, I met some very interesting people, including Martina, a program manager from the Teams development group. As with many valuable conversations, the chat was brief but information rich.
During the conversation, I was mildly chided that I hadn’t covered two recent features she had worked on to protect Teams. Controls to manage the splendidly named Weaponizable file protection and the Malicious URL protection features are in the Messaging Safety section of the Teams admin center (Figure 1).
By default, both features are disabled during the targeted release phase. When the features reach general availability, the features will be enabled by default and will apply to both internal and federated chats. After enabling protection, it takes a few hours for Teams clients to respect the new setting.
The announcements for the features are in MC1148540 (Weaponizable file protection, updated 17 November 2025, Microsoft 365 roadmap item 499892) and MC1148539 (Malicious URL protection, last updated 17 November 2025, Microsoft 365 roadmap item 499893). General availability for both is due by the end of November 2025.
Weaponizable File Protection
A weaponizable file is one that can be used by attackers. Think of an executable or zip file that could have some malware lurking within. The protection feature automatically blocks users from sharing files of specific types through chats and channel conversations. The list of blocked file types is:
ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z
Currently, tenants cannot update the list to add or remove blocked file types.
By stopping people sharing suspect files through Teams, the probability of some infectious content finding its way into the tenant is reduced. Protection checks are applied by all Teams clients, including the mobile clients.
The way things work is quite simple. Figure 2 shows several messages in a conversation. The top message occurred before the weaponized file protection took effect, and I was able to send an .msi file to the chat participants. Once the file protection kicked in, Teams began to check the file types (the check happens after the user sends a message) and blocked files. The second message shows what a recipient sees when Teams blocks a message from another participant. The last shows how Teams flags the problem after a user attempts to send a blocked file.
Malicious URL Protection
The second protection checks URLs shared in chats and channel conversations to verify that the links are not potentially harmful. Protection is available in all Teams clients. If Teams detects a problematic link, it displays a warning to
When a malicious link is detected, Teams automatically displays a warning to both the sender and recipient to help reduce the risk of phishing attacks.
I was less successful testing malicious URL protection. According to the documentation, Teams automatically scans URLs included in messages against threat intelligence databases to identify potentially malicious links. I tried with many of the malicious URLs shared on the URLhaus site but didn’t manage to provoke any warnings (Figure 3).
It’s possible that the intelligence databases used by Teams didn’t pick up the URLs I tested because the URLs had just been added to URLhaus, but then I tried posting the example URL shown in MC1148539, and Teams failed to detect a problem with that link too. I’m sure that this is a temporary glitch.
Update Protection Settings with PowerShell
Unlike other messaging settings which are applied through policies assigned to user accounts, the settings to control weaponized file protection and malicious URL protection are controlled through the Teams messaging tenant-wide configuration. This is probably because it doesn’t make sense to protect some users and not others within a single tenant.
To control the settings with PowerShell, run the Set-CsTeamsMessagingConfiguration from the Teams PowerShell module and update the settings for FileTypeCheck (weaponized file protection) and UrlReputationCheck (malicious URL protection). The Get-CsTeamsMessagingConfiguration reports the current settings. For example:
Set-CsTeamsMessagingConfiguration -Identity Global -FileTypeCheck Enabled -UrlReputationCheck Enabled Get-CsTeamsMessagingConfiguration Identity : Global EnableVideoMessageCaptions : True EnableInOrganizationChatControl : True CustomEmojis : True Storyline : Enabled MessagingNotes : Enabled FileTypeCheck : Enabled UrlReputationCheck : Enabled ContentBasedPhishingCheck : Disabled ReportIncorrectSecurityDetections : Disabled
Extra Protection is Goodness
Introducing extra levels of protection within Teams messaging can never be a bad thing. It’s sensible to scan files and URLs shared in messages for problems. No one wants to have malware spread within a tenant by someone sharing a bad file or URL (to up to 50 channels in one action), so these are good changes that all Microsoft 365 tenants should have by early December 2025.
Learn about managing Teams and the rest of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
One Reply to “Teams Messaging Gains New Protections”