Adversaries may use specific sender accounts in Teams to communicate within threads, leveraging T1566 to exfiltrate data or coordinate attacks. SOC teams should proactively hunt for this behavior to identify potential lateral movement or command and control activities in their Azure Sentinel environment.
KQL Query
//This query gets the count of messages from a sender across all types of conversations
let Sender = "[email protected]";
MessageEvents
| where SenderEmailAddress == Sender
| summarize Count = count() by ThreadType
id: 0bb4d681-5aa5-414e-b512-42a682ce5117
name: Teams messages from a specific sender by ThreadType
description: |
This query helps hunt for Teams messages from a specific sender by ThreadType.
description-detailed: |
This query helps hunt for Teams messages from a specific sender by ThreadType, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query gets the count of messages from a sender across all types of conversations
let Sender = "[email protected]";
MessageEvents
| where SenderEmailAddress == Sender
| summarize Count = count() by ThreadType
version: 1.0.0Scenario: Scheduled Backup Job Sending Messages to a Team Channel
Description: A scheduled backup job uses Microsoft Teams integration to send status updates to a team channel.
Filter/Exclusion: Exclude messages sent by the backup service account (e.g., userPrincipalName like [email protected]) or use a filter on sender field to exclude known backup accounts.
Scenario: Admin Task to Archive Old Threads
Description: An admin runs a script or uses the Microsoft Teams admin center to archive old messages in a thread.
Filter/Exclusion: Exclude messages where the sender is an admin account (e.g., userPrincipalName like [email protected]) or use a filter on sender field to exclude admin accounts.
Scenario: Automated Reporting Tool Sending Messages to a Shared Channel
Description: A reporting tool (e.g., Power BI, Azure DevOps) sends automated reports to a shared Teams channel.
Filter/Exclusion: Exclude messages sent by the reporting tool’s service account (e.g., [email protected]) or use a filter on sender field to exclude known reporting tools.
Scenario: User-Initiated Message Thread with ThreadType Set by Default
Description: A user starts a message thread in Teams, and the ThreadType is automatically set to a specific value (e.g., private) by default.
Filter/Exclusion: Exclude messages where the sender is a regular user and the ThreadType is not explicitly set by the sender, or use a filter on ThreadType to exclude default values.
Scenario: Integration with Third-Party App Sending Messages in a Thread
Description: A third-party app (e.g., ServiceNow, Zendesk) sends messages to a Teams channel as part of its integration.
*