Microsoft Teams Flags Brand Impersonation Calls Starting Mid-May

Microsoft is pushing a defensive layer into Teams Calling that flags suspicious external calls before the user picks up. The feature, called Brand Impersonation Protection, begins its production rollout in mid-May 2026 and should land across all eligible tenants by the end of the month.

The protection runs automatically. It is on by default. No admin toggle, no policy edit, no licensing add-on. Teams analyzes inbound external calls and surfaces a high-risk warning card if the caller shows the behavioral signatures of a brand impersonator. Users can still answer, but they answer informed.

Inside the Warning System That Pops Up Before You Pick Up

The new protection sits at the call-routing layer inside the Teams client, between the inbound ring and the answer button. Microsoft’s Defender for Office 365 announcement on impersonation-call defense describes the system as evaluating signals from the calling identity, the tenant configuration of the source, and behavior patterns tied to prior impersonation campaigns.

When the system flags a call, the Teams ring screen carries a red banner and a clear label warning the user the caller may not be who they claim to be. The warning persists even after the user answers, with a follow-up prompt offering the option to block the contact, end the call, or report the incident to admins.

What you will see when a call gets flagged:

• A bold red high-risk warning on the ring screen
• The caller name labeled as suspicious rather than trusted
• A persistent warning bar during the call if signals continue
• An in-call option to end the call and report the contact

Why Calls Became The New Phishing Channel

Threat actors used to live in the Teams chat panel. They sent guest invites with finance-themed names, dropped malicious attachments, and pushed users to dial fake support numbers. That playbook now trips Microsoft’s existing message-side filters, so attackers shifted upstream.

They moved to the ring tone. Voice-based social engineering, called vishing, climbed to the number two initial-access vector across all incident categories tracked in 2025. In cloud-only compromises, it was the single most common entry point at 23 percent of cases.

A live voice creates urgency a chat thread cannot match. Attackers posing as IT support lean on tone, accent, vocabulary, and time pressure to get the victim to grant remote desktop access through Quick Assist or read out a multi-factor code. Microsoft’s DART playbook on cross-tenant helpdesk impersonation documents the exact sequence: email bombing, then a soothing call from the fake helpdesk, then session hijacking inside minutes.

Teams is the obvious medium. The platform handles a normal daily diet of cold calls from vendors, prospects, and partners across more than 320 million monthly active users. A Teams ring carries an implicit trust the public phone network lost a decade ago. That trust is exactly what attackers monetize.

The 72 Percent Hit Rate Driving The Push

The number that ran inside Redmond’s security planning meetings is 72. That is the success rate eSentire attributed to Teams-based vishing intrusions in its 2026 Annual Cyber Threat Report, with attack volume up sharply between 2024 and 2025. Three out of every four targeted users said yes to the fake helpdesk.

The same report logged that most malicious Teams messages now originate from bulletproof hosting providers, with single IP addresses observed targeting multiple organizations at the same time. The attack stack is industrialized.

• 72 percent: success rate of Teams vishing intrusions in eSentire’s 2026 report
• 23 percent: share of cloud compromises in 2025 starting through a Teams or voice channel
• 12,000: malicious billing-themed invites Check Point traced to one campaign last year
• 320 million: monthly active Teams users now sitting behind the new warning layer

How The Check Point Campaign Set The Stage

Check Point researchers documented an active campaign earlier this year that funneled targets straight from a Teams guest invite into a phone call. Attackers created tenants with finance-themed names like “Subscription Auto-Pay Notice (Invoice ID: 2025_614632PPOT_SAG Amount 629.98 USD)” and routed the bait through Microsoft’s own mail infrastructure, which made spam filtering harder.

The Check Point email security write-up on the 12,000-email Teams campaign traced more than 12,000 fraudulent invitations sent to over 6,000 users across roughly 100 organizations. Manufacturing, engineering and construction took 27 percent of the volume. Education was the next biggest target at one in eight messages, followed by professional services at 11 percent and finance at 7 percent.

The team name is the lure. Once the victim calls the listed support line, the threat actor owns the conversation, and the brand being impersonated has no defensive surface left inside that call.

That is the gap Brand Impersonation Protection tries to close. It moves the defensive surface back into the Teams client itself, so even when the lure works, the call gets flagged the moment the ring starts.

What Tenant Admins Should Configure This Month

The feature is on by default, but admins still have work to do. Helpdesk staff need to be briefed before users start seeing red banners, because the first wave of warnings will generate confused tickets. Microsoft logged the rollout under change identifier MC1219793 in its Message Center, with most tenants seeing completion before May 31, 2026. Microsoft’s DART case study on a Teams support-call compromise shows what happens when the briefing does not get done in time.

Steps worth taking before the warnings appear:

1. Brief the helpdesk on the new red banner and what users should do when they see it
2. Confirm allowlists for trusted external partners so legitimate vendor calls do not trip the filter
3. Refresh Quick Assist policy, since fake helpdesk sessions remain the most common follow-on once a target answers

For security teams already burned by supply chain compromises arriving through trusted installers, the Teams call vector is the same problem in a different wrapper. Trust in the channel is the attack surface. Removing that trust before the conversation starts is the only defense that scales.

Frequently Asked Questions

Will The New Teams Call Warning Block Legitimate Vendors I Work With?

No. The warning is informational and does not stop the call from connecting. If a vendor you trust shows up flagged, you can still answer and keep talking. Ask your admin to add the contact to the tenant allowlist to suppress future flags. Microsoft says false positives should drop over the first two weeks as the model accumulates per-tenant signal data.

Do I Need A Specific Teams License To Get This Protection?

Yes, but it is included with the standard Teams license at no added cost. Microsoft has confirmed the feature ships across Microsoft 365 Business and enterprise SKUs and does not require a Defender for Office 365 add-on. There is no separate toggle. If your tenant gets Teams updates through the standard channel, the warning system arrives during the May 2026 rollout window automatically.

How Do I Report A Suspected Impersonation Call I Already Answered?

Use the in-call menu to end the call and report the contact, which sends signal data back to Microsoft and your tenant admin in one step. If you missed that window, forward the meeting invite or call log to your security team with the timestamp. For active credential exposure, change your password and revoke sessions through myaccount.microsoft.com before anything else.

Does This Stop Attackers Who Use Spoofed Caller ID Through Phone Networks?

Partly. The protection works best on calls placed inside Teams, including federated tenants and Teams-to-PSTN bridges. Pure spoofed PSTN calls hitting a Teams Phone number still rely on STIR/SHAKEN attestation, which the warning system reads as one signal but not the only one. For high-risk roles, pair Brand Impersonation Protection with carrier-side anti-spoofing controls.

The next wave of social engineering will not arrive through email. It will ring, on a platform employees trust because they use it forty hours a week. Whether the warning works depends on a number Microsoft cannot publish yet: how many users actually slow down when they see a red banner before clicking accept.

Disclaimer: This article covers a publicly announced Microsoft Teams security feature and recommended administrator actions. The information is for general awareness and does not replace formal incident response procedures. Tenant administrators should validate the rollout in a controlled environment before company-wide enablement, brief end users on the new warnings, and consult their security operations team for configuration specific to their environment. Details are accurate as of May 6, 2026 and may change as Microsoft updates the rollout.