Cloud email security has become pretty good. Not perfect, obviously, because the attack landscape is forever changing. But good enough that the old tactics do not land with the same success rate they once did. Filters are sharper. Detection is better. Users are smarter.
So criminals, being criminals and not entirely stupid, look elsewhere. Attackers do not develop emotional loyalty to a channel. They are not sat there nostalgically insisting that if phishing is going to be done, it ought to be done properly and via email like in the good old days. They go where the people are, and more importantly, where the people are less guarded.
Which brings us to collaboration platforms such as Teams which look to be overtaking email as many people’s preferred method of communication. It can be quick, convenient, and to the point, without any of the “I hope this email finds you well” filler.
However, while people have been trained over the years to be cautious of emails, Teams and other similar channels have an informal trustworthy feel about them. Which is exactly what criminals are increasingly seeking to take advantage of. A Teams message just appears in a high-paced workspace they use all the time, and it feels internal … even when it’s not.
Microsoft Teams external access has made collaboration easier across organisations, which has many benefits. But in doing so, it has also created a new avenue for attackers because it expands who can reach your users and how those interactions show up.
The default setting for Teams external access allows all external domains, meaning users can chat and meet with people outside the organisation, assuming the other side also has external access enabled.
If email has become harder to exploit, the sensible thing for an attacker is to move to the place where trust is higher and defences are often less mature. It is the digital equivalent of discovering the front door now has a camera, a deadbolt, and a suspicious dog, so instead you wander round the back and try the patio doors.
The thinking though shouldn’t be restricted just to Teams, that just happens to be the current example of a much broader issue.
Security teams have historically organised themselves around channels. Email, web, endpoint, network, etc. A simple label and clear budget. But attackers don’t care about labels or budgets. They care about people, processes, workflows and moments of trust. If a finance employee is just as likely to respond to a convincing message in chat as they are in email, then from the attacker’s point of view those are not separate problems. They are simply two doors into the same house.
That means organisations need to think less in terms of protecting apps and more in terms of protecting interactions. Where are employees communicating? Which channels feel trusted? What happens when someone external appears? How easy is it for a user to verify identity, report something suspicious, or pause a conversation before doing something regrettable?
These are not just technical questions. They are questions about human behaviour, platform design, and whether we have a culture that supports people in their security journey.
The reason collaboration security matters is because work has changed. People now operate across inboxes, chats, shared docs, calls, AI assistants, and whatever other platforms appeared after somebody said they wanted to improve productivity. Trust has spread across all of them. So risk has too.
This is why the conversation needs to evolve. Not away from email security, but beyond it. If criminals are adapting to where people work, then security needs to adapt to how people work. That means visibility across channels, consistent reporting mechanisms, thoughtful configuration of external access, and user education that is relevant to them, their roles, and the threats they face.
—
Javvad Malik is Lead CISO Advisor at KnowBe4 and suspects most modern attack surfaces were created by people who have never had to explain an incident to a board at 7 a.m.
