Adversaries may be exploiting Teams Admin submission capabilities to bypass detection by submitting malicious or phishing content as false negatives. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and improve detection accuracy.
KQL Query
//Admin submission of false negative Teams message detections with Malware and Phish threat daily trend
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery=CloudAppEvents
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where ActionType == "AdminSubmissionSubmitted" and SubmissionContentType == "ChatMessage";
let Admin_Malware_FN=baseQuery
| make-series Count= countif(SubmissionType == "2") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Malware_FN";
let Admin_Phish_FN=baseQuery
| make-series Count= countif(SubmissionType == "1") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Phish_FN";
union Admin_Malware_FN,Admin_Phish_FN
| project Count, Details, Timestamp
| render timechart
id: 13db68a8-bce1-4929-b8db-2589ee552e75
name: Teams Admin submission of Malware and Phish daily trend
description: |
This query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
description-detailed: |
This query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//Admin submission of false negative Teams message detections with Malware and Phish threat daily trend
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery=CloudAppEvents
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| where ActionType == "AdminSubmissionSubmitted" and SubmissionContentType == "ChatMessage";
let Admin_Malware_FN=baseQuery
| make-series Count= countif(SubmissionType == "2") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Malware_FN";
let Admin_Phish_FN=baseQuery
| make-series Count= countif(SubmissionType == "1") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Admin_Phish_FN";
union Admin_Malware_FN,Admin_Phish_FN
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Malware Scan Submission
Description: A scheduled endpoint protection tool (e.g., Microsoft Defender for Endpoint) submits a benign file as part of a daily malware scan, which is mistakenly flagged as malware by the Teams admin submission system.
Filter/Exclusion: Exclude submissions originating from known endpoint protection tools (e.g., source = "Microsoft Defender for Endpoint") or filter by submission_type = "Malware" and check for tool_name = "Microsoft Defender for Endpoint".
Scenario: Phish Testing by Security Team
Description: The security team regularly performs phishing simulations using a tool like MockPhish or PhishMe, which are submitted through Teams as part of training exercises.
Filter/Exclusion: Exclude submissions with a known source IP or domain associated with phish testing tools (e.g., source_ip = "192.168.1.100" or domain = "mockphish.com").
Scenario: Automated Compliance Job Submission
Description: A compliance job (e.g., Microsoft 365 Compliance Center automated report) submits a message for review, which is misclassified as a phishing attempt.
Filter/Exclusion: Exclude submissions with a job_name field containing “Compliance” or “Report” and filter by submission_type = "Phish" and job_id = "ComplianceJob123".
Scenario: User-Submitted Safe Link in Teams
Description: A user submits a link they believe is safe, but the system incorrectly flags it as phishing. This can happen during user training or when the link is from a trusted domain.
Filter/Exclusion: Exclude submissions where the user has a verified admin role or where the link domain is in a trusted list (e.g., `domain = ”