Adversaries may use malicious Teams messages from external senders to deliver phishing content or exfiltrate data. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise vectors in their Azure Sentinel environment.
KQL Query
//This query helps hunt for Teams messages from external senders with Threats (Spam, Phish, Malware)
MessageEvents
| where Timestamp > ago(30d)
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes has_any ("Phish","Malware","Spam")
| project Timestamp,TeamsMessageId, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId, ThreatTypes, DetectionMethods
id: ac842e4d-0c7d-4980-b09d-c761f3de0a79
name: Malicious Teams messages received from external senders
description: |
This query helps hunt for malicious Teams messages received from external senders.
description-detailed: |
This query helps hunt for Malicious Teams messages received from external senders, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query helps hunt for Teams messages from external senders with Threats (Spam, Phish, Malware)
MessageEvents
| where Timestamp > ago(30d)
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes has_any ("Phish","Malware","Spam")
| project Timestamp,TeamsMessageId, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId, ThreatTypes, DetectionMethods
version: 1.0.0Scenario: Internal Teams Admin Sending Scheduled Reports to External Stakeholders
Description: A Teams admin sends a scheduled report to an external partner or client using a shared channel or via a scheduled message.
Filter/Exclusion: Exclude messages sent by users with the “Teams Admin” role or from known external reporting email addresses (e.g., [email protected]).
Scenario: Automated Job Notification from a Third-Party Service
Description: A third-party service (e.g., Azure DevOps, Jira, or a CI/CD tool) sends a notification to a Teams channel via an integration, appearing as an external sender.
Filter/Exclusion: Exclude messages from known integration IDs or webhooks (e.g., integration_id=azure-devops-webhook).
Scenario: Legitimate External Collaboration with a Partner Organization
Description: A legitimate external collaboration where a partner organization sends messages to a Teams channel for project updates or shared work.
Filter/Exclusion: Exclude messages from pre-approved external domains (e.g., @partnercompany.com) or users in a trusted external user group.
Scenario: User Error or Misconfiguration in Teams Channel Settings
Description: A user accidentally sends a message to a Teams channel that was mistakenly configured to accept external messages.
Filter/Exclusion: Exclude messages sent to channels with “external senders” disabled or from users who are not in the “external users” group.
Scenario: Internal User Sending a Message to an External Email Address via Teams
Description: An internal user sends a message to an external email address using the Teams “Copy to Email” feature, which may be flagged as an external sender.
Filter/Exclusion: Exclude messages where the “Copy to Email” feature was used, or where the recipient is an email address rather than