Adversaries may modify blocked Teams domains to bypass network restrictions and exfiltrate data undetected. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration attempts in their Azure Sentinel environment.
KQL Query
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData.AdminActionDetail has "Skype.Policy/configurations/TenantFederationSettings/configuration/Global"
| where RawEventData.ModifiedProperties has "BlockedDomains"
| extend ModifiedPropertiesName = RawEventData.ModifiedProperties[0].Name
| extend ModifiedPropertiesNewValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].NewValue))
| extend ModifiedPropertiesOldValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].OldValue))
| extend Action = iff(array_length(ModifiedPropertiesNewValue) > array_length(ModifiedPropertiesOldValue) or isempty(ModifiedPropertiesOldValue), "Domain Added", "Domain Removed")
| extend AddedFrom = iff(RawEventData.ExtraProperties has "80ccca67-54bd-44ab-8625-4b79c4dc7775", "TABL", "Teams Admin Centre")
//Uncomment below to only show domains added
//| where Action == "Domain Added"
| project Timestamp, AccountObjectId, AccountDisplayName, Application, ActionType, Action, AddedFrom, ModifiedPropertiesName, ModifiedPropertiesNewValue, ModifiedPropertiesOldValue, RawEventData, ReportId
id: f3ceca1b-8190-4511-beac-06b3368b8360
name: Changes to Blocked Teams Domains (NRT)
description: |
This query detects changes to blocked Teams domains and can be used as an NRT detection.
description-detailed: |
This query detects domains being added or removed from blocked Teams domains. The changes could have been done from either TABL or Teams Admin Center. It can be set up as a Continuous (NRT) Custom Detection Rule to trigger an alert when changes occur.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType == "TeamsAdminAction"
| where RawEventData.AdminActionDetail has "Skype.Policy/configurations/TenantFederationSettings/configuration/Global"
| where RawEventData.ModifiedProperties has "BlockedDomains"
| extend ModifiedPropertiesName = RawEventData.ModifiedProperties[0].Name
| extend ModifiedPropertiesNewValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].NewValue))
| extend ModifiedPropertiesOldValue = extract_all(@"Domain=([^,]+)", tostring(RawEventData.ModifiedProperties[0].OldValue))
| extend Action = iff(array_length(ModifiedPropertiesNewValue) > array_length(ModifiedPropertiesOldValue) or isempty(ModifiedPropertiesOldValue), "Domain Added", "Domain Removed")
| extend AddedFrom = iff(RawEventData.ExtraProperties has "80ccca67-54bd-44ab-8625-4b79c4dc7775", "TABL", "Teams Admin Centre")
//Uncomment below to only show domains added
//| where Action == "Domain Added"
| project Timestamp, AccountObjectId, AccountDisplayName, Application, ActionType, Action, AddedFrom, ModifiedPropertiesName, ModifiedPropertiesNewValue, ModifiedPropertiesOldValue, RawEventData, ReportId
version: 1.0.1
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator updates the list of blocked Teams domains via the Microsoft 365 Admin Center during routine compliance review.
Filter/Exclusion: Exclude events where the source is the Microsoft 365 Admin Center or where the user is a known admin account (e.g., user_principal_name = "[email protected]").
Scenario: A scheduled job runs to clean up outdated blocked domains in the Microsoft Teams compliance settings.
Filter/Exclusion: Exclude events where the action is initiated by a scheduled task (e.g., task_name = "TeamsDomainCleanupJob").
Scenario: A security tool or SIEM system automatically updates the list of blocked domains based on threat intelligence feeds.
Filter/Exclusion: Exclude events where the source is a third-party integration or external feed (e.g., source = "ThreatIntelFeed").
Scenario: A user manually blocks a domain in the Microsoft Teams admin center after receiving a phishing report from a trusted internal team.
Filter/Exclusion: Exclude events where the user is part of the internal security team or has elevated permissions (e.g., user_role = "SecurityAdmin").
Scenario: An automated script runs to apply domain blocklists across multiple tenant configurations during a migration or consolidation process.
Filter/Exclusion: Exclude events where the source is an automation script or a configuration management tool (e.g., source = "AzureAutomationScript").