The hypothesis is that an adversary is using multiple unique accounts to submit Teams message admin actions as a method to evade detection and mask their lateral movement. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise or persistent access tactics that align with T1566.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("1","2","3")
| summarize dcount(SubmittedBy)
id: dc230eec-acc2-482f-8601-25125c8ff122
name: Number of unique accounts performing Teams message Admin submissions
description: |
This query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
description-detailed: |
This query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("1","2","3")
| summarize dcount(SubmittedBy)
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job submits Teams message admin actions
Description: A nightly backup job configured to archive Teams messages for compliance purposes triggers multiple admin submissions.
Filter/Exclusion: process.name:"backup_job.exe" OR process.name:"backup_scheduler.exe"
Scenario: User manually archives a large Teams conversation
Description: A user with admin privileges archives a large number of messages in a single Teams chat, causing a spike in admin submissions.
Filter/Exclusion: user.name:"admin_user" AND event.action:"archive_message"
Scenario: Teams message retention policy is applied automatically
Description: The organization’s retention policy automatically deletes old messages, which is logged as admin submissions.
Filter/Exclusion: event.action:"message_retention" OR event.action:"auto_delete"
Scenario: System health check tool performs Teams message cleanup
Description: A third-party system health tool runs a cleanup task that removes old messages, generating admin submission logs.
Filter/Exclusion: process.name:"health_check_tool.exe" OR process.name:"system_cleanup.exe"
Scenario: Teams admin dashboard is used to review message activity
Description: An admin reviews message activity through the Microsoft Teams admin dashboard, which may generate multiple admin submission logs.
Filter/Exclusion: user.name:"teams_admin" AND event.action:"dashboard_review"