Summary
Baseline Security Mode centralizes Microsoft’s recommended security standards for Office, SharePoint, Exchange, Teams, and Entra. Rolling out from November 2025 to March 2026, it provides admins with a dashboard to assess and improve security posture using impact reports and risk-based recommendations, with no immediate user impact.

More information
Introduction

Baseline Security Mode is a centralized experience that helps you meet Microsoft’s recommended security standards across Office, SharePoint, Exchange, Teams, and Entra. It leverages Microsoft’s threat intelligence and insights from two decades of Microsoft Response Center cases to strengthen your organization’s security posture and prepare for evolving AI-driven threats.
When this will happen:

Public Preview: Rollout begins mid-November 2025 and completes by late January 2026.
General Availability (Worldwide): Rollout begins mid-November 2025 and completes by late January 2026.
General Availability (GCC): Rollout begins early January 2026 and completes by late January 2026.
General Availability (DoD): Rollout begins early February 2026 and completes by late February 2026.
General Availability (GCCH): Rollout begins early March 2026 and completes by late March 2026.
How this affects your organization:

Who is affected: Global admins and security admins managing Microsoft 365 tenants across Office, SharePoint, Exchange, Teams, and Entra.
What will happen:

A new Baseline Security Mode dashboard will be available in the Microsoft 365 admin center.
Admins can view the tenant’s current security posture compared to Microsoft’s recommended minimum security bar.
Admins can run impact analysis reports to assess changes before applying them.
Recommendations will be grouped by risk level, with statuses such as “At risk” or “Meets standards.”
No immediate user impact unless admins apply changes.
What you can do to prepare:

Navigate to Microsoft 365 admin center > Settings > Org Settings > Security & privacy > Baseline Security Mode.
Review recommendations marked as “At risk.”
Initiate an impact report to understand potential changes.
Apply recommendations to bring your tenant to “Meets standards.”
Communicate upcoming changes to your helpdesk or security teams.

Learn more: Baseline security mode settings | Microsoft Learn

Compliance considerations:

No compliance considerations identified; review as appropriate for your organization.and risk-based recommendations, with no immediate user impact.

ReliaQuest has observed a new Black Basta social engineering campaign targeting users via Microsoft Teams and malicious QR codes.

From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA) abusing instant messaging platforms to deliver a VBA loader script to victims. This script downloaded and executed a second-stage payload consisting of a AutoIT scripting containing the DarkGate malware code. It’s unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization.

While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats. Perhaps predictably, this feature has provided malicious actors a new avenue by which to exploit untrained or unaware users.

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).

Russian state-sponsored hackers posed as technical support staff on Microsoft Teams to compromise dozens of global organizations, including government agencies.

Security researchers have found a bug that could allow attackers to deliver malware directly into employees' Microsoft Teams inbox.

New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.

In August 2022, the Vectra Protect team identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in.