Adversaries may use malicious domains to send large volumes of inbound Teams messages as part of credential harvesting or phishing campaigns. SOC teams should proactively hunt for this behavior to identify potential compromise and mitigate lateral movement risks in their Azure Sentinel environment.
KQL Query
//This query helps reviewing volume of inbound external Teams message by sender domains
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==1
| mv-expand Recipients = RecipientDetails
| extend RecipientEmailAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType
| extend Domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by Domain, bin(Timestamp, 1d)
| order by Timestamp asc
id: 15688e35-9957-427f-a8fb-95b7883120b3
name: Inbound Teams messages by sender domains
description: |
This query helps reviewing volume of inbound external Teams message by sender domains
description-detailed: |
This query helps reviewing volume of inbound external Teams message by sender domains
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//This query helps reviewing volume of inbound external Teams message by sender domains
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==1
| mv-expand Recipients = RecipientDetails
| extend RecipientEmailAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType
| extend Domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by Domain, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0
Scenario: Internal Teams User Sending to External Domain
Description: A legitimate internal user sends a message to an external domain (e.g., a partner or customer) as part of regular business communication.
Filter/Exclusion: Exclude messages where the sender is an internal user (e.g., using sender_user_id or user_principal_name from Azure AD) or where the recipient is a known external business partner.
Scenario: Scheduled Job Sending Messages to External Domain
Description: A scheduled job or automation tool (e.g., Power Automate, Azure Logic Apps) sends outbound Teams messages to an external domain for reporting or alerting purposes.
Filter/Exclusion: Exclude messages where the sender is a service account or a known automation tool (e.g., using sender_user_id or client_app_id from Microsoft Graph).
Scenario: Teams Integration with External Service (e.g., ServiceNow, Jira)
Description: A Teams integration (e.g., a bot or webhook) from an external service (e.g., ServiceNow, Jira) sends messages to a Teams channel.
Filter/Exclusion: Exclude messages where the sender is a bot or an external service (e.g., using client_app_id or bot_id from Microsoft Graph).
Scenario: User Sending Messages to a Publicly Shared Team or Channel
Description: A user sends a message to a public Team or channel that is accessible to external guests, which may appear as an external domain.
Filter/Exclusion: Exclude messages where the recipient is a public Team or channel (e.g., using team_type or channel_type from Microsoft Graph).
Scenario: Teams Message Forwarded from External Domain
Description: A user receives a message from an external domain and forwards it to another user within the organization.