Microsoft Teams has largely been left outside that protection perimeter. And attackers have been very aware of that gap.

KnowBe4’s Phishing Threat Trends Report Volume 7 documents the consequence: Teams is rapidly emerging as a major target for sophisticated social engineering and phishing attacks. The playbook is not complicated. Attackers impersonate IT helpdesk staff a role that carries inherent authority and generates reflexive compliance from employees to steal credentials and carry out domain takeovers. They do it through Teams because employees trust Teams messages the way they used to trust email before years of security awareness training made them appropriately skeptical.

KnowBe4 just launched Messaging Security specifically to close that gap and the architecture of what they have built reflects a clear-eyed understanding of why the Teams problem is different from the email problem in ways that matter for how you defend against it.

The Default Settings That Are Making This Worse

Before getting into what KnowBe4 built, it is worth being specific about why the Teams attack surface is as wide as it is because the answer involves a configuration problem that most organizations have not addressed.

Microsoft Teams, by default, allows anyone from outside an organization to connect with employees without domain restrictions. There is no barrier preventing an attacker from reaching out to any employee directly through Teams, presenting as whoever they choose, and initiating the kind of social engineering conversation that credential theft and account compromise require.

In email, organizations have spent years building inbound filtering, sender reputation systems, and domain-based authentication controls that create friction for this kind of impersonation. In Teams, many organizations are running with the equivalent of an open relay no restrictions on who can contact their employees from outside, no monitoring of what those external contacts are saying, and no visibility into whether inbound Teams messages represent legitimate business communication or active social engineering attempts.

The problem compounds because of the trust context that Teams carries. An employee who has been trained to scrutinize unexpected emails from unknown senders has not been trained because the tools did not exist to support the training to apply the same scrutiny to Teams messages. The channel feels internal even when the message is external. The familiar interface creates a trust heuristic that attackers are specifically exploiting.

Greg Kras, KnowBe4’s Chief Product Officer, described what the launch is designed to address: removing the uncertainty from chat interactions so employees can collaborate confidently. That framing is deliberate the goal is not to make Teams feel like a security checkpoint but to make it as trustworthy as a well-protected email environment, where threats are caught before they reach the employee rather than relying on the employee to catch them.

What KnowBe4 Messaging Security Actually Does

The architecture of the new offering reflects an understanding that Teams security is not just email security applied to a different channel. The attack patterns are similar, but the environment characteristics are different enough that the defensive approach needs to account for them specifically.

External message monitoring provides the foundational capability that most organizations currently have no equivalent of for Teams: visibility into messages coming from outside the organization, analyzed for phishing and social engineering attempts before they generate the employee interaction the attacker is seeking. The monitoring creates an early detection layer at the point where external contact is initiated catching attempts before they progress to the credential theft or link click that represents successful exploitation.

Posture monitoring is the capability that addresses the default configuration problem directly. Rather than requiring security teams to manually audit Teams settings against a security baseline, the tool scans for dangerous default configurations specifically the settings that allow unrestricted external access identifies where those configurations exist, and provides specific remediation steps to close them. For organizations that have been running with open external access settings without realizing the exposure that creates, this is the most immediate risk reduction available.

The humans-on-the-loop approach reflects a pragmatic design philosophy that the KnowBe4 announcement specifically calls out: administrators can run the system in report-only mode to test detection accuracy before enabling automated blocking. That matters because the failure mode that makes security tools get disabled false positives that block legitimate communications and create enough friction that frustrated users and administrators turn the protection off is specifically what report-only mode is designed to validate against before commit. You get to see what would have been blocked before anything actually gets blocked.

Unified blocklist across email and Teams addresses a fragmentation problem that currently allows a known bad actor to be blocked on email while remaining able to reach employees through Teams. A threat actor or domain that has been identified as malicious and added to email protection blocklists can, in most current environments, simply switch channels and continue their campaign through Teams. The unified list closes that lateral move if something is blocked in email, it is blocked in Teams simultaneously through the same management interface.

Classification and risk tagging brings the triage workflow that security teams have developed for email message classification, risk level assignment, quick admin review to Teams messages. The consistency with the KnowBe4 Inbound Email Security experience is deliberate: security teams who have already built muscle memory for email triage do not need to learn a different system for Teams. The interface and workflow are consistent enough that the same analyst can move between channels without a context switch.

The GMMH Validation – What a Real Deployment Tells You

Kevin Orritt, Cyber Security Manager at Greater Manchester Mental Health NHS Foundation Trust, provided a customer perspective that is worth examining for what it reveals about how this kind of layered protection actually functions in practice.

His framing that one layer is not enough to detect and neutralize the numerous advanced phishing threats targeting day-to-day work reflects an organisational security posture that most enterprise security leaders recognise. No single control is sufficient. The value of each additional layer is not that it catches everything but that it catches the things the previous layer missed, and that the combination of layers creates enough friction against the attacker’s progression that most campaigns fail before they achieve their objective.

The specific capability Orritt called out clickable banners that allow employees to continuously develop cybersecurity awareness connects the detection and blocking function to the security awareness training mission that KnowBe4 was built around. When an employee sees a flagged message with a visible banner explaining why it was flagged, they receive a real-world training moment that is more effective than a simulated phishing test because it involves an actual threat rather than a constructed exercise. The security tool and the awareness training reinforce each other in the same user interaction.

For a healthcare organisation handling sensitive patient information and operating under NHS security requirements, the combination of automated threat detection and continuous employee awareness development addresses two distinct regulatory and operational requirements through a single capability layer which reflects the practical reality of security investment in constrained-budget environments where tools need to justify their presence against multiple requirements simultaneously.

Why the Unified Console Matters More Than It Sounds

The single unified console that KnowBe4 Messaging Security delivers managing both email and Teams security from one place is the kind of feature that sounds like a convenience and is actually a security improvement.

Security teams that manage email protection through one tool and have to manage Teams security through a completely separate tool, with separate blocklists, separate alert queues, separate triage workflows, and separate reporting, are not just working harder than they need to. They are creating the conditions for threats to slip through the gap between the two management domains. A social engineering campaign that is partially detected in email but continues through Teams is not caught by either tool’s monitoring it is caught only if an analyst who is actively correlating activity across both consoles notices the pattern.

Most security teams do not have the analyst capacity to actively correlate activity across separate tools with separate interfaces in real time. They have alert queues they work through, escalation paths they follow, and monitoring dashboards they check periodically. Threats that require active correlation across separate tool consoles to be identified are threats that rely on analyst bandwidth constraints to succeed.

The unified console removes that dependency. When the same analyst sees email and Teams security state in the same interface, with the same alert format, the same classification system, and the same blocklist, the correlation happens automatically rather than requiring deliberate cross-tool analysis. The campaign that pivots from email to Teams is visible as a unified campaign rather than as two separate lower-confidence signals that might or might not get connected.

The Larger Pattern This Launch Reflects

The KnowBe4 Messaging Security launch is a specific product announcement, but it sits within a broader pattern in the collaboration tool security market that is worth naming directly.

Enterprise communication has shifted. Email remains the dominant channel for formal external business communication, but for internal collaboration, quick decisions, informal coordination, and increasingly for external partner and vendor interaction, platforms like Microsoft Teams carry a significant and growing share of communication volume. The security investment and the threat actor attention have not kept pace with that shift in equal proportions security investment has largely followed email, while threat actors have increasingly followed the users.

The result is a gap that KnowBe4’s Phishing Threat Trends data is documenting in real time: Teams is becoming a high-value target specifically because its users have not been protected by the same controls that email users take for granted, and because the trust heuristic employees apply to Teams messages makes social engineering attempts through that channel more likely to succeed than equivalent attempts through a well-defended email environment.

Closing that gap requires both the technical controls monitoring, blocking, posture assessment, unified threat management and the awareness training integration that teaches employees to apply appropriate skepticism to Teams messages from unknown external contacts the way they have learned to apply it to unexpected emails. KnowBe4’s positioning at the intersection of security awareness training and technical security controls makes their approach to this problem more complete than a pure technology solution would be.

The employees who receive flagged Teams messages with explanatory banners are learning something in that moment about what a social engineering attempt looks like in a channel they previously thought of as safe. That learning is cumulative, and it compounds over time in a way that purely automated blocking which removes the threat without informing the employee does not.

Both matter. The unified platform that KnowBe4 has built delivers both simultaneously, which is why the launch is more than a feature addition to an existing product. It is a recognition that the collaboration tool attack surface has matured to the point where it demands the same level of coordinated technical and human defense that email has received for the past two decades.

Research and Intelligence Sources: KnowBe4 

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com