External users communicating with internal Teams users may indicate adversarial reconnaissance or data exfiltration, as T1566 highlights the use of communication tools to establish persistent access. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data theft attempts in their Azure Sentinel environment.
KQL Query
//This query uses MessageEvents to detect communication from suspicious external Help Desk\Support representatives
MessageEvents
| where Timestamp > ago(30d)
| where (SenderDisplayName contains "help" and SenderDisplayName contains "desk")
or (SenderDisplayName contains "it" and SenderDisplayName contains "support")
or (SenderDisplayName contains "working" and SenderDisplayName contains "home")
| where IsExternalThread == true
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
id: 1fbd2430-2dfe-421a-82b3-eabec5a0b38e
name: Teams communication from suspicious external users
description: |
This query helps hunt for communication from suspicious external users.
description-detailed: |
This query helps hunt for Teams communication from suspicious external users using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query uses MessageEvents to detect communication from suspicious external Help Desk\Support representatives
MessageEvents
| where Timestamp > ago(30d)
| where (SenderDisplayName contains "help" and SenderDisplayName contains "desk")
or (SenderDisplayName contains "it" and SenderDisplayName contains "support")
or (SenderDisplayName contains "working" and SenderDisplayName contains "home")
| where IsExternalThread == true
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
version: 1.0.0Scenario: Scheduled backup job communicating with external storage service
Description: A legitimate scheduled backup job uses a Teams bot or service account to communicate with an external cloud storage service (e.g., Azure Blob Storage) for data transfer.
Filter/Exclusion: Exclude communication from known backup service accounts or IP ranges used by backup tools like Veeam, Acronis, or Azure Backup.
Scenario: Admin task using Teams for internal collaboration with external partners
Description: An IT admin or security team member uses a Teams channel to communicate with a trusted external partner (e.g., a vendor or legal team) for internal collaboration.
Filter/Exclusion: Exclude communication from admin accounts or users with “Admin” in their username or role, or from known partner domains.
Scenario: Automated monitoring tool sending alerts via Teams webhook
Description: A security monitoring tool (e.g., Splunk, ELK, or SIEM) uses a Teams webhook to send alerts to a dedicated channel.
Filter/Exclusion: Exclude communication from known SIEM or monitoring tool service accounts or webhooks associated with alerting systems.
Scenario: Internal user sharing files with external team members via Teams
Description: A legitimate internal user shares files with a trusted external team member (e.g., a consultant or client) via a Teams chat or file share.
Filter/Exclusion: Exclude communication with users from pre-approved external domains or users with “External” in their user ID or email domain.
Scenario: Integration with third-party service using Teams for API communication
Description: A company’s internal application integrates with a third-party service (e.g., Salesforce, ServiceNow) using a Teams bot or API endpoint for data synchronization.
Filter/Exclusion: Exclude communication from known integration service accounts or endpoints associated with third-party SaaS tools.