The Security Upgrade You Didn’t Know You Got
Microsoft quietly rolled out some major security upgrades to Business Basic and Standard plans in early 2026. If you’re running M365 for your business, you just got features that used to cost hundreds of dollars more per user—but there’s a catch: they’re not turned on by default. Here’s what changed, why it matters, and what you should do about it.
The Backstory: Why Microsoft Made This Move
The 2025 security landscape was brutal for small and medium businesses. Phishing attacks evolved faster than traditional defenses could keep up. QR code phishing campaigns surged, domain spoofing became more sophisticated, and compromised account attacks skyrocketed. Security researchers documented a 340% increase in credential phishing targeting Microsoft 365 users specifically.
Microsoft faced mounting pressure from businesses stuck in the middle: “We’re getting hit hard, and Business Basic doesn’t protect us enough. But we’re not big enough to justify Premium pricing.” The criticism was fair. Small businesses were told to “move to the cloud for better security,” but then discovered that meaningful protection required premium licensing most couldn’t afford.
Microsoft’s response: push Premium-level protections down-market. This isn’t purely altruistic—they realized that every compromised SMB account becomes a potential vector for attacking larger enterprise customers. A compromised vendor account can pivot into a supply chain attack. Protecting the base tier protects the entire ecosystem.
What Actually Changed
URL Protection Comes to Business Basic and Standard
The biggest change is Safe Links URL protection, which was previously locked behind the Business Premium paywall. This feature scans every link in your emails in real-time, checking them against Microsoft’s global threat intelligence database before you can click through. If you click a link to a legitimate-looking site that was compromised yesterday, Safe Links catches it at the moment of click and blocks access.
This matters more than it might sound on paper. Traditional email filters work at delivery time—they scan the email when it arrives and make a allow/block decision. But attackers have adapted. They register brand-new domains that have no reputation history, or they compromise legitimate websites hours after the email passes through filters. By the time you click the link, the threat is active but your email filter has moved on to the next message.
URL protection operates at click-time, not delivery-time. That’s the difference between “we blocked 90% of phishing emails in your inbox” and “we blocked the dangerous one that made it through.” It’s a fundamentally different approach to defense, and it used to require Premium licensing. Now it’s available to everyone.
Smarter Impersonation Detection
Microsoft also upgraded their anti-phishing engine’s ability to catch display name impersonation attacks. Attackers love this trick: register a free Gmail or Outlook account using your CEO’s name as the display name—”David Smith <notactuallyDavid@gmail.com>”—and rely on most email clients showing only “David Smith” while hiding the actual address in the background.
The new impersonation detection system compares display names in incoming emails against your organization’s directory and user mailboxes. If someone external is using a name that matches one of your employees or common business contacts, it flags the message with a warning banner. The system also analyzes domain similarity—catching “castler0cksky.com” (with a zero instead of ‘o’) or “castlerocksky.co” variations.
It’s not perfect. False positives happen when you have employees with common names, or when legitimate external partners happen to share a name with internal staff. But it catches tricks that used to sail right through, and the warning banners give users that critical moment to pause and think before clicking.
Beyond Email: Teams and SharePoint Protection
Safe Links now extends to Teams messages and SharePoint files—a smart move given that more businesses share sensitive information through collaboration tools than traditional email these days. That contract your vendor sent via Teams? The links inside get scanned. That Excel file with “updated payment details” someone shared in SharePoint? Any embedded URLs are checked before you can follow them.
Microsoft is finally acknowledging that phishing doesn’t just happen in Outlook anymore. Attackers follow users wherever they communicate. Expanding URL protection across the entire Microsoft 365 suite closes gaps that attackers were actively exploiting.
What This Means for Your Business
If You’re on Business Basic or Standard
You just got a significant security upgrade at no extra cost. But here’s the important catch: Microsoft doesn’t auto-enable these features. They’re sitting in your tenant right now, dormant, waiting for someone to flip the switches in the admin portal.
Why wouldn’t Microsoft just turn them on automatically? Partly liability—they don’t want to break established workflows or communication patterns without explicit administrator consent. Partly because configuration actually matters. Safe Links can generate false positives if set too aggressively, blocking legitimate links your business relies on. Microsoft wants admins to make conscious choices about policy settings rather than forcing a one-size-fits-all approach.
The practical reality: these features are available now but disabled by default. It takes about 10-15 minutes to configure them properly if you know what you’re doing. It’s worth doing immediately—the next phishing campaign targeting your industry won’t wait for you to get around to it.
If You’re Already on Business Premium
You’ve had most of this protection for a while, but the impersonation detection improvements apply to everyone, including Premium subscribers. This is actually a good opportunity to audit your existing security policies. Many businesses enabled Safe Links when they first migrated to Microsoft 365 but never went back to review the configuration. Microsoft’s recommended settings have evolved based on real-world attack data, and older policies might not reflect current best practices.
Take 15 minutes to review your Threat Policies in the Defender portal. Make sure Safe Links is enabled for Office applications, not just email. Verify that your anti-phishing policies are using the updated impersonation protection settings. Small configuration tweaks can meaningfully improve your security posture.
How to Enable the New Features
Here’s the step-by-step process to enable Safe Links and the updated anti-phishing features:
- Sign in to the Microsoft 365 Defender portal at security.microsoft.com using your admin account
- Navigate to Email & collaboration → Policies & rules → Threat policies
- Under Policies, select Safe Links
- Create a new policy or edit the default policy to cover your entire organization
- Enable protection for:
- Email messages
- Microsoft Teams
- Office 365 apps (Word, Excel, PowerPoint, etc.)
- Set the action to Block malicious links (not just “Warn”)
- Enable “Track user clicks” for visibility into what users are clicking
- Save and test with your team before considering it fully rolled out
For anti-phishing policies:
- In the same Threat policies section, select Anti-phishing
- Edit your default policy or create a new one
- Under Impersonation, enable protection for users and domains
- Add your key executives and commonly impersonated domains to the protected list
- Set mailbox intelligence and intelligence-based impersonation protection to On
- Configure actions to move suspicious messages to quarantine or junk
Note: If this process feels intimidating or unclear, you’re not alone. Most small businesses don’t have a dedicated security administrator who lives in the Defender portal every day—and that’s completely normal. This is exactly the kind of configuration where a managed IT partner adds real value, ensuring everything is set up correctly without you having to become a Microsoft security expert.
What Else You Should Be Doing
URL protection is genuinely powerful, but it’s not a silver bullet. The best security strategies are layered, with multiple overlapping defenses that cover different attack vectors.
Even with Safe Links fully enabled, user awareness still matters enormously. Attackers are constantly evolving their tactics, and some of the most effective attacks don’t rely on malicious links at all. Social engineering that tricks users into manually typing credentials, or phone-based vishing attacks that convince someone to share an MFA code, completely bypass link-scanning technology.
Multi-factor authentication remains the single most effective security control you can implement. It doesn’t matter how sophisticated the phishing email is if stolen credentials can’t be used without a second factor. If you haven’t enabled MFA for all your users yet, that should be your number one priority before anything else.
Regular security reviews catch configuration drift and misconfigurations before they become problems. Security settings change, new features get added, employees come and go—your configuration from two years ago might not reflect your current needs or risk profile.
Testing your defenses through phishing simulations tells you where your actual weak spots are before real attackers find them. You can have perfect technical controls, but if 40% of your staff clicks simulated phishing emails, you know where to focus training efforts.
The Honest Catch
These new features are genuinely useful and worth enabling. But they do come with operational overhead that’s important to understand going in.
More protection means more alerts, more false positives, and more decisions about what to allow or block. A legitimate marketing email with a dozen tracking links might trigger Safe Links warnings. A partner company that legitimately shares your CEO’s name will generate impersonation alerts. You’ll need to tune policies, create exceptions, and investigate incidents.
Microsoft’s Security & Compliance Center isn’t exactly intuitive—it’s a sprawling interface built for enterprise administrators managing thousands of users, not small business owners juggling five other responsibilities alongside IT. The learning curve is real. You can absolutely manage this yourself with time and patience, but “set it and forget it” fundamentally doesn’t work for security.
Someone needs to monitor the alert queue, tune policies based on actual usage patterns, investigate suspicious activity, and keep up with Microsoft’s frequent changes to the platform. That someone is either you, your IT person, or a managed services partner. All three are valid choices, but it’s important to be realistic about the time commitment involved.
The good news: once initial configuration is done and policies are tuned to your environment, ongoing maintenance is much lighter. The heavy lifting is in the setup and first few weeks of tuning.
The Bottom Line
Microsoft’s decision to extend Premium security features to Business Basic and Standard plans is genuinely significant. Small businesses finally have access to enterprise-grade protections without enterprise-level costs. But the features don’t help if they’re not enabled.
If you’re on Business Basic or Standard, block out 30 minutes this week to enable Safe Links and review your anti-phishing settings. If you’re on Premium, audit your existing configuration to make sure you’re taking advantage of the improved detection capabilities.
And if any of this feels overwhelming or you’re not sure where to start, that’s a completely reasonable reaction. Security is complicated, Microsoft’s tools are powerful but not user-friendly, and nobody expects a small business owner to become a cybersecurity expert overnight.
Need Help With Microsoft 365 Security?
Castle Rock Sky helps businesses across the Denver metro and Front Range get the most out of their Microsoft 365 investment without the enterprise complexity. We can configure these new security features, audit your existing setup, and make sure you’re actually protected—not just technically compliant.
