Adversaries may use Teams to initiate phishing campaigns by sending malicious links or attachments, leveraging the platform’s trusted communication channels to compromise users. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing attempts before they lead to data exfiltration or lateral movement.
KQL Query
let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)
id: ca7f7287-d688-4256-ae46-e68ad2f657c8
name: Possible Teams phishing activity
description: |
This query looks for possible Teams phishing activity.
description-detailed: |
This query looks for possible Teams phishing activity.
Shared by Microsoft Threat Intelligence:https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Admin performing scheduled backup of Teams data using Microsoft 365 Backup Service
Filter/Exclusion: Exclude activity related to m365backup or backup in the operation field, or filter by user_principal_name matching known admin accounts.
Scenario: IT staff using Microsoft Teams Admin Center to configure user settings or assign licenses
Filter/Exclusion: Exclude activity with operation values like UserManagement or LicenseAssignment, or filter by resource matching TeamsAdminCenter.
Scenario: Automated job running to sync user data between Azure AD and Microsoft Teams using Azure AD Connect
Filter/Exclusion: Exclude activity with operation containing AzureADConnect or Sync, or filter by user_principal_name matching the sync service account.
Scenario: User accessing Teams via the web portal for a scheduled meeting or collaboration session
Filter/Exclusion: Exclude activity with operation like MeetingJoin or MeetingCreate, or filter by resource matching TeamsWebPortal.
Scenario: System-generated activity from Microsoft Teams’ built-in analytics or reporting tools
Filter/Exclusion: Exclude activity with operation containing Analytics or Reporting, or filter by user_principal_name matching system service accounts.