← Back to SOC feed Coverage →

Microsoft Teams chat initiated by a suspicious external user

kql MEDIUM Azure-Sentinel
T1566
AlertEvidence
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-11T23:00:00Z · Confidence: medium

Hunt Hypothesis

Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.

KQL Query

//Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external  Teams messages
AlertInfo 
| where Timestamp >= ago(30d) 
| where Title == "Microsoft Teams chat initiated by a suspicious external user" 
| join AlertEvidence on AlertId
| top 100 by Timestamp

Analytic Rule Definition

id: 8b88ecaf-88b3-4d70-814f-a55b96748ff5
name: Microsoft Teams chat initiated by a suspicious external user
description: |
  Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.
description-detailed: |
  This query uses AlertInfo and AlertEvidence tables to collect general information and clickable links to more IOCs about suspicious external Teams messages.
  Shared by Microsoft Threat Intelligence:https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/protection-against-multi-modal-attacks-with-microsoft-defender/4438786
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Use AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external  Teams messages
  AlertInfo 
  | where Timestamp >= ago(30d) 
  | where Title == "Microsoft Teams chat initiated by a suspicious external user" 
  | join AlertEvidence on AlertId
  | top 100 by Timestamp
version: 1.0.0

Required Data Sources

Sentinel TableNotes
AlertEvidenceEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Microsoft Teams chat initiated by a suspicious external user.yaml