The hypothesis is that adversaries are targeting high-value users through phishing messages in Teams to gain initial access and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
KQL Query
//Top 10 attacked users by Phish messages from external senders using Teams. Replace contoso.com with your own recipient domain.
MessageEvents
| where ThreatTypes has 'Phish' and IsOwnedThread==0 and IsExternalThread==1
| mv-expand Recipients = RecipientDetails
| extend RecipientEmailAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType
| where RecipientEmailAddress contains ('contoso.com')
| summarize count() by tostring(RecipientEmailAddress)
| sort by count_
| top 10 by count_
id: e6cbca08-b041-4f5d-9f82-f803319ee050
name: Top 10 Attacked user by Phish messages
description: |
Top 10 attacked users by Phish messages from external senders using Teams
description-detailed: |
Top 10 attacked users by Phish messages from external senders using Teams. Replace contoso.com with your own recipient domain.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Top 10 attacked users by Phish messages from external senders using Teams. Replace contoso.com with your own recipient domain.
MessageEvents
| where ThreatTypes has 'Phish' and IsOwnedThread==0 and IsExternalThread==1
| mv-expand Recipients = RecipientDetails
| extend RecipientEmailAddress = Recipients.RecipientSmtpAddress, RecipientDisplayName = Recipients.RecipientDisplayName, RecipientObjectId = Recipients.RecipientObjectId, RecipientType = Recipients.RecipientType
| where RecipientEmailAddress contains ('contoso.com')
| summarize count() by tostring(RecipientEmailAddress)
| sort by count_
| top 10 by count_
version: 1.0.0Scenario: A system administrator sends a phishing simulation email via Microsoft Teams to test user awareness.
Filter/Exclusion: Exclude emails from the domain @contoso.com where the sender is a known internal admin (e.g., [email protected]) and the email is labeled as a “phishing test” in the subject line.
Scenario: A scheduled job runs a PowerShell script that sends automated reports to multiple users via Teams, mimicking phishing behavior.
Filter/Exclusion: Exclude emails sent from the service account [email protected] and where the email body contains the string "Automated Report - Do Not Respond".
Scenario: An IT helpdesk team uses Microsoft Teams to send out password reset instructions to users, which may be flagged as phishing.
Filter/Exclusion: Exclude emails from the helpdesk team’s service account [email protected] and where the email contains the phrase "Password Reset Instructions" in the subject line.
Scenario: A user receives a legitimate Teams message from an external partner that includes a link to a shared document, which is mistakenly flagged as phishing.
Filter/Exclusion: Exclude messages from trusted external domains (e.g., @partner.com) and where the message contains the phrase "Shared Document - Please Review" in the body.
Scenario: A user receives a Teams message from an internal user who is part of a scheduled collaboration, but the message is misclassified as phishing due to the presence of a link.
Filter/Exclusion: Exclude messages from internal users with the role @contoso.com and where the sender is listed in a trusted collaboration group (e.g., @[email protected]).