Teams Admin-User Submissions Grading Verdicts

Hunt Hypothesis

Adversaries may submit and grade messages in Teams to manipulate or exfiltrate data by exploiting administrative privileges. SOC teams should proactively hunt for this behavior to identify potential insider threats or malicious activity leveraging Teams Admin capabilities.

KQL Query

//This query visualizes Teams messages submitted by users or admins then graded in the submission process, summarizing the data by the various submission garde results
CloudAppEvents
| where ActionType == "AdminSubmissionTriage" or ActionType == "UserSubmissionTriage"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmissionState=tostring((parse_json(RawEventData)).SubmissionState),TriageVerdict=tostring((parse_json(RawEventData)).GradingResult.TriageVerdict)
| where SubmissionContentType == "ChatMessage" and SubmissionState == "Graded"
| summarize count() by TriageVerdict
| project TriageVerdict, TeamsMessages = count_

Analytic Rule Definition

id: 459c6943-0162-4bf5-8d0b-c5904f03f5a7
name: Teams Admin-User Submissions Grading Verdicts
description: |
  This query visualizes Teams messages submitted by users or admins then graded in the submission process.
description-detailed: |
  This query visualizes Teams messages submitted by users or admins then graded in the submission process, summarizing the data by the various submission garde results.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This query visualizes Teams messages submitted by users or admins then graded in the submission process, summarizing the data by the various submission garde results
  CloudAppEvents
  | where ActionType == "AdminSubmissionTriage" or ActionType == "UserSubmissionTriage"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmissionState=tostring((parse_json(RawEventData)).SubmissionState),TriageVerdict=tostring((parse_json(RawEventData)).GradingResult.TriageVerdict)
  | where SubmissionContentType == "ChatMessage" and SubmissionState == "Graded"
  | summarize count() by TriageVerdict
  | project TriageVerdict, TeamsMessages = count_
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin-User Submissions Grading Verdicts.yaml)

False Positive Guidance

Scenario: Scheduled backup job submits messages for grading
Filter/Exclusion: message_type:backup or source:backup_service
Scenario: Admin manually grades a user submission during a review process
Filter/Exclusion: user_role:admin and action_type:manual_review
Scenario: Automated grading system processes submissions during batch job execution
Filter/Exclusion: source:grading_system or job_name:batch_grading
Scenario: User submits a message as part of a training exercise for new employees
Filter/Exclusion: submission_type:training or user_role:trainee
Scenario: Admin sends a test message to verify grading system functionality
Filter/Exclusion: message_subject:test_grading or sender:admin_test_account