Microsoft Teams is the most widely used workplace collaboration tool out there. It has surpassed 270 million monthly users, and is a popular choice among a majority of the Fortune 500 companies.
However, Teams has experienced a fair share of cyber attacks and phishing scams that have left users and organizations vulnerable. With that said, here are some security precautions you can take to harden Team’s security:
- Implement and train your team on security best practices.
- Require two-factor authentication.
- Manage employee onboarding and offboarding.
- Beware of phishing attempts.
- Use a good antivirus program.
- Use an industry-leading VPN, like NordVPN.
To learn more about how secure Microsoft Teams is, the threats it faces, and the precautions you can take to make it safe to use, read our full article below.
Microsoft Teams is currently the most popular business communication tool in the world. In a call to investors in FY22 Q2, Teams revealed it had 270 million users with over 90% of Fortune 500 companies using Teams Phone. In comparison, Slack reported 20 million users in 2020.
One of the reasons why larger organizations prefer using Microsoft Teams as a collaboration tool is because of its underlying security. In this article, we’re going to take a look at the security steps that Microsoft Teams takes to ensure the safety of user data, and give you our verdict on just how safe it is to use.
How Secure is Microsoft Teams?
In a nutshell, Microsoft Teams is quite secure. The platform uses state-of-the-art encryption and complies with the Trustworthy Computing Initiative.
The initiative was developed by Microsoft to enable the security, reliability, privacy, and business integrity of the computing process.
Teams is designed and developed in compliance with the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), which is a key component of the Trustworthy Computing Initiative.
SDL ensures that Microsoft products are developed with the security and privacy of users in mind. For instance, code is checked for known security threats before it’s submitted to the final product. Here are other ways Teams keeps your data secure.
End-to-end encryption (E2EE)
Teams implements end-to-end encryption for one-on-one calls. E2EE encrypts content (voice, video, and screen-sharing data) when sent to the recipient and only the recipient can decrypt the data. Even Microsoft itself cannot intercept the data being transmitted if it’s end-to-end encrypted.
However, in Teams, both parties in the call need to activate the encryption for it to be applied. Otherwise, Microsoft Teams defaults to securing the call using other industry standards like TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol).
Azure Active Directory (Azure AD)
Azure AD is a single trusted repository for storing and accessing user accounts in the back end. It provides administrators with the ability to manage end-user identities and access privileges.
Think of it as a directory that stores all information about a user or account. For this reason, it’s Microsoft’s enterprise cloud-based identity and access management (IAM) solution.
Active Directory also allows administrators to manage role permissions and control access to specific applications and resources for individual users.
According to Microsoft, “Azure Active Directory (Azure AD) offers enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.”
Transport Layer Security (TLS)
TLS is responsible for securing the majority of data that is transmitted online. Microsoft Teams employs industry-standard technologies such as TLS to encrypt data while in transit and at rest. This data includes messages, files, meetings, and other content.
TLS uses certificates issued by the Certificate Authority to authenticate a connection between two users. This helps in preventing attacks such as man-in-the-middle attacks whereby threat actors can intercept a connection without both parties’ knowledge and steal personal information while in transit.
Compliance standards
Microsoft also classifies all of its Office 365 products (which includes Teams) into one of four communication compliance categories: A, B, C, and D. Microsoft Teams is Tier D-compliant, which is the highest tier.
This is the highest tier and ensures compliance with the following standards:
- HIPAA
- ISO 27001
- ISO 27018
- SSAE16 SOC 1 and SOC 2
- EU Model Clauses (EUMC)
Finally, Teams is GDPR compliant. It also packs a plethora of modern features such as two-factor authentication and single sign-on (SSO). This allows your accounts to remain secure even when employees are using the app on their devices because security is not reliant on passwords or device security.
How Teams Manages Security Threats
Just like any application that’s used by millions of people, Teams is a big target for cybercriminals. Here’s how Teams handles common security threats.
Man-in-the-middle (MITM) attacks
On Teams, MiTM attacks can occur on media traffic between two parties collaborating over Teams. To avoid this, Teams employs Secure Real-Time Transport Protocol (SRTP) to encrypt the media stream between the two endpoints.
It also employs a proprietary signaling system (Teams Call Signaling protocol) which uses AES-256 and TLS-encrypted UDP or TCP channels to secure cryptographic key negotiations between two endpoints.
Real-time Transport Protocol (RTP) replay attacks
To prevent a replay attack, Microsoft Teams implements SRTP in combination with a secure signaling protocol. It enables the receiver to maintain an index of already received RTP packets and compare each new packet with packets already listed in the index. This prevents tampering with data packets.
Identity spoofing (IP spoofing)
Because Teams uses TLS which encrypts all traffic and authenticates all parties it prevents an attacker from spoofing a connection. Furthermore, Teams authenticates users using certificates hence an attacker would not have valid information to spoof a user in a connection.
Eavesdropping
To encrypt all traffic from the client to Teams data centers, Teams employs TLS and Server to Server (S2S) OAuth for server communications with Microsoft 365. This makes eavesdropping difficult because TLS authenticates all parties and encrypts all traffic.
How Teams Handles Government Requests
In a response to the government’s legal demands for customer data, Microsoft clearly states “Microsoft is obligated to comply with the applicable laws that governments around the world – not just the United States – pass, and this includes responding to legal demands for customer data.”
First, this means Microsoft stores all your data. Second, if compelled by the government – U.S or foreign – Microsoft will hand over the information required by authorities.
Twice a year, Microsoft publishes a report detailing law enforcement requests from around the world. It’s good to note, a subpoena or its local equivalent is required to request non-content data, while a warrant, court order, or its local equivalent, is required for content data.
Here, non-content data refers to basic user information, such as name, physical and email address, user identification number, IP address, login history, and other details. While content data refers to chats, images, videos, and documents a user shares on the platform.
Microsoft is not alone in this hot topic. How technology companies should deal with government requests is a hot and sensitive issue. On one hand, Microsoft wants to keep its users’ data private and confidential.
On the other hand, the company has to adhere to the laws in place in cases of terrorism or other situations that may cause harm to citizens.
What Data Does Microsoft Teams Track and Store?
Compared to other collaboration tools, Microsoft Teams chats, especially private chats are not as private as you might think. In Teams, all chats are accessible by the Global Administrator and other administrators on the platform.
This means anything you share “privately” with another user can be accessed by your boss or the admin in charge of the group.
Moreover, the Teams administrator has access to users’ accounts and can monitor certain keywords in chats when searching for information. In addition, Microsoft 365 implements eDiscovery tools where user chats are stored and continue to be searchable for a minimum of seven years.
Furthermore, administrators (like employers) can track all users’ working activities within Teams, like what exactly they’ve been doing at a given period, by checking the Usage reports.
Microsoft Teams also keeps a log of online meetings, total online time, and even how long you’ve been away from your PC. However, administrators cannot use your mic and webcam to spy on you when you’re not in a video conference.
The Six Ways to Improve Microsoft Teams’ Security
Microsoft Teams takes all precautions to provide organizations with a secure communications platform, but there’s still a risk of users causing a security lapse. Below we discuss measures employers and employees can take to avoid this and tighten Team’s service level security.
1. Train your team on data security best practices
As it should be customary with any digital tool you use in your organization, you should document operational best practices and train your team. These practices should act as a guide for employees as to how they should use these tools safely and avoid common threats like phishing.
In combination with that, Teams lets you configure policies and compliance features your organization can implement to use Microsoft Teams safely:
- Data management policies
- Conditional access policies
- Security features management
- Sensitivity labels
- Data loss prevention (DLP) policies
Data management policies
Sensitive information or files stored in Teams could pose a security risk especially when they no longer serve a purpose and they are just sitting there. To handle this, you can set expiration, archiving, and retention policies for Teams data such as files and messages.
You can set expiration policies for groups so that communications automatically expire. For example, owners of a group could be required to renew their groups otherwise they will be temporarily deleted.
However, the group can be restored by the owners or an administrator within 30 days. A team can also be archived for future reference or reactivation instead of staying active without being used.
Conditional access policies
Conditional access policies refer to pre-set conditions that must be satisfied for a user to access a resource. For example, if a user is attempting to log in, they should first complete a multi-factor authentication.
This is crucial especially when the organization has remote employees or external users. Because Microsoft Teams heavily relies on Exchange Online and Sharepoint. Conditional policies set for these cloud platforms also apply to Teams.
Security features management
Teams accepts blanket policy application to all Teams users or per user depending on your organization’s needs and policies.
You can assign different security features in core productivity functions such as messaging, Teams meetings, calling, and live events to users according to your organization’s preference.
However, it is advisable to have a Teams’ administrator give other users certain capabilities and implement security protocols in general. It helps in accountability and overall management of users and their actions on the app.
Sensitivity labels
Microsoft Information Protection (MIP) sensitivity labels are built into Teams, and add an extra layer of security for your data. Administrators can protect and regulate access to sensitive information created within the app.
For example, a group created with the sensitivity label “Confidential” cannot be accessed by other users who are not part of the group.
Sensitivity labels can be invaluable for protecting against third-party apps, protecting content across multiple platforms and devices, and enforcing protection settings with encryption.
Data loss prevention (DLP) policies
Teams data loss prevention limits the exposure of sensitive information by preventing users from sharing them on Teams channels. For example, if a user attempts to send critical information to a guest, the DLP policy set to prevent this will automatically delete the message in seconds.
These are just a few of the policies you can implement on Teams. You can learn more by diving into Microsoft Teams governance policies.
These governance policies are critical because they determine how data is processed internally, how end-users can use the app, who can create teams, and what information users can access and share.
2. Use two-factor authentication
Two-factor authentication (2FA) offers advanced security for online accounts beyond just a username and password. Once done, the next time you sign in on any device, you’ll be prompted to perform two-factor verification.
Here’s how you can turn on two-factor authentication on Teams:
- Go to your security settings.
- Click “Set up two-step verification” under “Two-step verification.”
- Go through the steps on the screen.
Please note that you must turn the 2FA prompts on for all of your devices at the same time. Unfortunately, you can’t turn the prompts on for only a specific device.
3. Beware of phishing attempts
Recently, Microsoft Teams has become a hotbed for phishing attacks. For instance, if a malicious actor accesses your network’s Microsoft 365 credentials, they can easily get into Teams.
To detect phishing attempts on Teams, there are a few characteristics you can look out for. Generally, phishing messages will betray themselves in the following ways:
- Phishing messages often request you to act urgently, citing an immediate threat.
- They are usually poorly worded, with shoddy grammar and punctuation.
- The domain names (URLs) they use are incorrect and usually designed to resemble reputable sites.
- Messages often include harmful attachments that require you to add credentials to open.
If you come across a message or email you don’t completely trust, don’t open it. Definitely don’t click on any links or attachment in the message, either. For more information, you can check out our full guide to phishing.
4. Use a reputable VPN
Microsoft Teams exploded in popularity when employees were forced to work from home and other remote locations. This came with its challenges mainly because of using unverified and probably insecure connections to access Teams when doing remote and hybrid work. The best way to solve this, is to use a good VPN that protects your connection while you’re working.
With an industry-leading VPN such as NordVPN, data transmitted is secured by state-of-the-art encryption. The data is also transmitted through a secure tunnel and bounced through multiple servers to prevent it from being intercepted. If you’re looking for a good VPN for Teams, NordVPN is the solution.
- Fast and large worldwide network of VPN servers
- Perfect for privacy and streaming
- Trusted by many, with over 14 million users
5. Use a good antivirus program
Despite taking the necessary precautions to guard against cybersecurity threats by implementing security policies, there is the occasional human error that can lead to a system compromise.
The mistake could be in the form of a sophisticated phishing email that tricks an employee to click on a link or download a malicious attachment. After all, as VentureBeat says, “Microsoft Teams is the new frontier for phishing attacks.”
To stop any malicious software from affecting your device and accounts, you’ll need an antivirus program. A reputable corporate antivirus such as Norton 360 will give you the extra layer of protection you need. For example, it will scan all files sent and downloaded over the platform.
Norton360 also offers live-protection meaning it’s actively scanning any incoming connections and files while filtering out anything malicious it encounters. It also protects against computer viruses, spam, social dangers, identity theft, and other online threats. It even comes with its own Norton VPN.
If you’re interested, you can check out Norton’s offer below.
6. Manage employee onboarding and offboarding
Due to how integrated tools such as Teams are in the workplace, it’s important to have a clear and documented process for onboarding new employees to the platform. For example, every file should be scanned before it’s uploaded. Good security awareness training can also help make employees aware of the biggest risks.
The same goes for offboarding. This is critical to prevent employees from being able to access sensitive information after they’ve departed the organization. Make sure you have a good procedure in place, so ex-employees no longer have access to Teams through their (business) Microsoft account.
You can read more about security threats that (ex-)employees might pose, even unknowingly, in our article on insider threats.
Conclusion: Is Microsoft Teams Secure?
Microsoft Teams is no stranger to data breaches. Despite Microsoft’s efforts to secure the app, Teams has been affected a few times in the past.
In addition to phishing scams, in 2021, security researchers discovered a vulnerability in Teams that allowed the attacker to steal sensitive information such as the victim’s emails, Teams messages, and OneDrive files.
In general, 95% of security breaches are blamed on human error. To protect against this in Teams, we advise following the security hardening procedures highlighted in this article:
- Implement and train your team on security best practices.
- Require two-factor authentication.
- Manage employee onboarding and offboarding.
- Beware of phishing attempts.
- Use a good antivirus program like Norton 360.
- Use an industry-leading VPN like NordVPN.
Want to know more about how secure Microsoft Teams is? Check out our FAQ below. If you have a question that hasn’t been answered below, leave a comment and we’ll get back to you as soon as possible.
Microsoft Teams is equipped with cutting-edge security features to keep your data safe. However, like with any app used by millions of people, it will be a target for cybercriminals. And Teams is no exception.
It has faced numerous threats and security researchers have uncovered scores of vulnerabilities. However, Microsoft Teams has so far done a good job at keeping them at bay.
It depends on how your employer set up Microsoft Teams. It’s good to note that Teams allows employers to access a variety of user data. With that, a good rule of thumb is to not talk about anything that could come back and bite you in Teams by assuming your employer can access it.
No. This is because Teams allows employers and administrators to check on their employees and access their data such as chats. With end-to-end encryption this wouldn’t be possible. However, Teams is secure and does allow end-to-end encryption during meetings as long as all users turn it on.
