External malicious Teams messages sent from internal senders indicate potential adversary attempts to exfiltrate data or spread malware through compromised internal accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate insider threats or lateral movement tactics early.
KQL Query
//This query helps hunt for Teams messages from internal senders with Threats in them (Spam, Phish, Malware)
MessageEvents
| where Timestamp > ago(30d)
| where IsExternalThread==1 and IsOwnedThread==1
| where ThreatTypes has_any ("Phish","Malware","Spam")
| project Timestamp,TeamsMessageId, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId, ThreatTypes, DetectionMethods
id: aee866e2-dc92-4563-a387-b9e5710246c0
name: External malicious Teams messages sent from internal senders
description: |
This query helps hunt for external malicious Teams messages sent from internal senders
description-detailed: |
This query helps hunt for external malicious Teams messages sent from internal senders, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query helps hunt for Teams messages from internal senders with Threats in them (Spam, Phish, Malware)
MessageEvents
| where Timestamp > ago(30d)
| where IsExternalThread==1 and IsOwnedThread==1
| where ThreatTypes has_any ("Phish","Malware","Spam")
| project Timestamp,TeamsMessageId, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId, ThreatTypes, DetectionMethods
version: 1.0.0Scenario: Internal users sending legitimate external collaboration messages
Description: Employees may send messages to external partners, clients, or vendors as part of normal business operations.
Filter/Exclusion: Exclude messages where the recipient is a known external business contact (e.g., using a recipient_email field with a list of whitelisted external domains or users via Microsoft 365 Defender or Exchange Online Protection).
Scenario: Automated scheduled job sending Teams messages
Description: A scheduled job or script (e.g., using Power Automate, Azure Logic Apps, or PowerShell) may send automated messages to external users for notifications or updates.
Filter/Exclusion: Exclude messages where the sender is a service account or a system user (e.g., using sender_email with a list of known service accounts in Azure AD or Exchange Online).
Scenario: Internal user sending messages to a shared external Teams channel
Description: A team member may send a message to a shared external channel (e.g., a public channel in a Microsoft Teams workspace) for collaboration.
Filter/Exclusion: Exclude messages where the message is sent to a shared external channel (e.g., using channel_type or channel_id in Microsoft Teams logs or Microsoft Graph API).
Scenario: Internal user sending messages to an external support team
Description: An internal user may contact an external support team (e.g., a third-party vendor or service provider) via Teams for troubleshooting or assistance.
Filter/Exclusion: Exclude messages where the recipient is part of a known external support team (e.g., using a Microsoft 365 group or distribution list in Exchange Online).
Scenario: Internal user sending messages to a guest user via Teams
*