Expanding recipients into separate rows

Hunt Hypothesis

Expanding recipients into separate rows detects adversaries attempting to exfiltrate information by sending targeted messages to multiple users, leveraging Teams for lateral movement. SOC teams should proactively hunt for this behavior to identify potential data leakage or reconnaissance activities in their Azure Sentinel environment.

KQL Query

//Analyzing recipient details with a separate row for each recipient
MessageEvents
| mv-expand Recipients = RecipientDetails
| extend RecipientSmtpAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType

Analytic Rule Definition

id: 70ba5995-866f-4a23-bacc-40b82056893b
name: Expanding recipients into separate rows
description: |
  This query helps hunt for recipients of Teams messages.
description-detailed: |
  This query helps hunt for recipients of Teams messages by expanding the recipient details into separate rows, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Analyzing recipient details with a separate row for each recipient
  MessageEvents
  | mv-expand Recipients = RecipientDetails
  | extend RecipientSmtpAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Expanding recipients into separate rows.yaml)

False Positive Guidance

• Scenario: A system administrator is exporting user data using the Microsoft 365 admin center or PowerShell cmdlets like Get-MsolUser or Get-AzureADUser.
  Filter/Exclusion: Exclude users with the UserType set to Guest or External or filter by UserPrincipalName matching known admin accounts.

• Scenario: A scheduled job runs to send automated reports via Teams, using the Microsoft Graph API or Power Automate.
  Filter/Exclusion: Exclude messages sent to a predefined list of “reporting” or “notification” channels, or filter by conversationId associated with known reporting bots.

• Scenario: A security analyst is testing the Teams message forwarding feature using the Teams admin center or PowerShell module.
  Filter/Exclusion: Exclude messages sent to the @me or @all channel, or filter by sender matching known test accounts or service accounts.

• Scenario: A user is using the Teams “Copy to channel” feature to share content across multiple channels, which expands recipients into separate rows.
  Filter/Exclusion: Exclude messages where the sender is a user with the “Team Admin” role or filter by messageType indicating a content share or file upload.

• Scenario: A backup or sync tool (e.g., Veeam, Acronis, or Microsoft OneDrive) is sending messages to Teams channels as part of a notification or alert process.
  Filter/Exclusion: Exclude messages from known backup tools or services by checking the sender field against known service account names or by filtering based on messageBody containing specific keywords like “backup” or “sync”.