Adversaries may modify blocked Teams domains to bypass network restrictions and exfiltrate data undetected. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration attempts within their Azure Sentinel environment.
KQL Query
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData.AdminActionDetail has "Skype.Policy/configurations/TenantFederationSettings/configuration/Global"
| where RawEventData.ModifiedProperties has "BlockedDomains"
| extend ModifiedPropertiesName = RawEventData.ModifiedProperties[0].Name
| extend ModifiedPropertiesNewValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].NewValue))
| extend ModifiedPropertiesOldValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].OldValue))
| extend Action = iff(array_length(ModifiedPropertiesNewValue) > array_length(ModifiedPropertiesOldValue) or isempty(ModifiedPropertiesOldValue), "Domain Added", "Domain Removed")
| extend DomainValue = iff(Action == "Domain Added", set_difference(ModifiedPropertiesNewValue, ModifiedPropertiesOldValue), set_difference(ModifiedPropertiesOldValue,ModifiedPropertiesNewValue))
| mv-expand DomainValue
| mv-apply EP=RawEventData.ExtraProperties on (
where EP.Key == "InitialCaller"
| extend ChangedFrom = iff(EP.Value startswith "80", "TABL", "Teams Admin Centre")
)
| project Timestamp, AccountObjectId, AccountDisplayName, Application, ActionType, Action, ChangedFrom, ModifiedPropertiesName, DomainValue, ModifiedPropertiesNewValue, ModifiedPropertiesOldValue, RawEventData, ReportId
id: 3fb50170-4048-473e-acc0-af9ae186f4a3
name: Changes to Blocked Teams Domains
description: |
This query detects changes to blocked Teams domains.
description-detailed: |
This query detects domains being added or removed from blocked Teams domains displaying a clear audit trail for each domain. The changes could have been done from either TABL or Teams Admin Center.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData.AdminActionDetail has "Skype.Policy/configurations/TenantFederationSettings/configuration/Global"
| where RawEventData.ModifiedProperties has "BlockedDomains"
| extend ModifiedPropertiesName = RawEventData.ModifiedProperties[0].Name
| extend ModifiedPropertiesNewValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].NewValue))
| extend ModifiedPropertiesOldValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].OldValue))
| extend Action = iff(array_length(ModifiedPropertiesNewValue) > array_length(ModifiedPropertiesOldValue) or isempty(ModifiedPropertiesOldValue), "Domain Added", "Domain Removed")
| extend DomainValue = iff(Action == "Domain Added", set_difference(ModifiedPropertiesNewValue, ModifiedPropertiesOldValue), set_difference(ModifiedPropertiesOldValue,ModifiedPropertiesNewValue))
| mv-expand DomainValue
| mv-apply EP=RawEventData.ExtraProperties on (
where EP.Key == "InitialCaller"
| extend ChangedFrom = iff(EP.Value startswith "80", "TABL", "Teams Admin Centre")
)
| project Timestamp, AccountObjectId, AccountDisplayName, Application, ActionType, Action, ChangedFrom, ModifiedPropertiesName, DomainValue, ModifiedPropertiesNewValue, ModifiedPropertiesOldValue, RawEventData, ReportId
version: 1.0.1
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Domain Sync with Azure AD Connect
Description: A scheduled job using Azure AD Connect synchronizes domain information between on-premises Active Directory and Azure AD, which may temporarily update blocked domains.
Filter/Exclusion: Exclude events where the source is Azure AD Connect or where the change was initiated by a scheduled task with a known name like AzureADConnectSync.
Scenario: Manual Domain Block/Unblock via Microsoft Teams Admin Center
Description: An admin manually updates the list of blocked domains in the Microsoft Teams Admin Center as part of routine configuration.
Filter/Exclusion: Exclude events where the user is a known admin (e.g., [email protected]) or where the action is performed via the Microsoft Teams Admin Center UI.
Scenario: Automated Domain List Update via PowerShell Script
Description: A PowerShell script runs on a schedule to update the list of blocked domains using the Microsoft Graph API or the Teams PowerShell module.
Filter/Exclusion: Exclude events where the source is a known PowerShell script (e.g., Update-TeamsBlockedDomains.ps1) or where the user is a service account used for automation.
Scenario: Domain Update via Microsoft 365 Compliance Center
Description: An admin updates blocked domains through the Microsoft 365 Compliance Center as part of a security policy adjustment.
Filter/Exclusion: Exclude events where the source is the Microsoft 365 Compliance Center or where the user is a compliance admin (e.g., [email protected]).
Scenario: Domain List Sync with Third-Party Identity Provider (IdP)
Description: A third-party identity provider (e.g., Okta, Ping Identity) synchronizes domain lists with Microsoft Teams, which may cause temporary changes to blocked domains.
*Filter/Exclusion