Malicious URL Protection in Microsoft Teams (Preview)

Phishing remains one of the most common and effective attack vectors, and attackers increasingly exploit collaboration platforms like Microsoft Teams. To help reduce this risk, Microsoft has introduced Link Protection in Teams (currently in preview).

This feature automatically scans URLs sent in chats, channels, or meeting conversations, warns senders if they include a suspicious link, and alerts recipients before they click. It’s a valuable new capability — but it is not a replacement for Microsoft Defender Safe Links. Instead, it works best alongside Safe Links as part of a layered defense strategy.

Overview

In August 2025, Salesloft (owner of Drift) disclosed a breach that had been active for several months. The attackers moved step by step across systems: starting in GitHub, pivoting into AWS, and from there harvesting OAuth tokens that provided direct access into Salesforce environments.

With these tokens, they extracted business-critical data and even uncovered additional secrets like AWS keys, Snowflake tokens, and passwords. Several global companies, including Cloudflare, Zscaler, and Palo Alto Networks, confirmed they were affected.

The case highlights a growing risk area: OAuth tokens and third-party integrations that are often overlooked but provide deep access to SaaS platforms.

Introduction

The open-source ecosystem is the beating heart of modern software development. From small web apps to enterprise-scale cloud platforms, packages from repositories like npm power the digital world. But with popularity comes risk — and this month, we saw one of the most significant supply chain attacks in npm’s history.

Attackers compromised widely used npm packages — including chalk and debug — which together account for over 2.6 billion downloads every single week. The fallout is massive: every developer, pipeline, and organization pulling these dependencies could be at risk.

At Griffin31, we see this as more than a one-off breach. It’s a warning about the fragility of software supply chains — and a call to action for CISOs, DevSecOps teams, and every organization that builds on open source.

Overview (Goal)

You may be using Google Workspace for email and collaboration, but prefer Microsoft Entra ID as your identity and security foundation. This post outlines how to:

• Use Entra ID as the IdP for Google Workspace via SAML SSO + SCIM provisioning.

• Apply Conditional Access with Authentication Context for step‑up rules.

• Incorporate Microsoft Defender for Cloud Apps (MDCA) to enforce real‑time, in‑session step‑up authentication for risky actions across any SAML/OIDC app.

CA + AC handles access control at login; MDCA adds dynamic, in–session enforcement. For example, if a user changes IP mid-session or initiates a sensitive download, MDCA can trigger step-up immediately.

Architecture & Licensing

• Identity: Entra ID as IdP; users/groups provisioned to Google via SCIM.

• Access: Conditional Access baseline policies, plus Authentication Context labels like High‑Impact‑Download.

• Session: MDCA operates as a reverse‑proxy via Conditional Access App Control, mediating traffic to enforce real‑time controls.

• Google: Configured to use Entra ID for SSO, optionally paired with Google’s own Context‑Aware Access.

Licence requirements:

• Entra ID Premium P1+

• Microsoft Defender for Cloud Apps