Adversaries may use external senders to exfiltrate data or establish command and control via Teams messages, leveraging T1562 techniques to communicate covertly. SOC teams should proactively hunt for this behavior to identify potential data exfiltration or C2 channels within their Azure Sentinel environment.
KQL Query
//Top 10 external senders sending Teams messages
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1
| summarize count() by SenderEmailAddress
| sort by count_ desc
| top 10 by count_
id: f143639b-24d5-4089-af92-be8eeea02822
name: Top 10 external senders sending Teams messages
description: |
This query visulises all up Top 10 external senders sending Teams messages
description-detailed: |
This query visulises all up Top 10 external senders sending Teams messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//Top 10 external senders sending Teams messages
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1
| summarize count() by SenderEmailAddress
| sort by count_ desc
| top 10 by count_
version: 1.0.0
Scenario: A system administrator is sending Teams messages to multiple external partners during a scheduled compliance report distribution.
Filter/Exclusion: Exclude messages sent from known admin accounts (e.g., [email protected]) or filter by sender IP address associated with internal infrastructure.
Scenario: A scheduled job is configured to send automated Teams notifications to external stakeholders (e.g., partners, vendors) for incident updates.
Filter/Exclusion: Exclude messages sent from known automation accounts (e.g., [email protected]) or filter by message content containing specific keywords like “scheduled” or “auto-notification”.
Scenario: A security analyst is using Microsoft Defender for Endpoint to communicate with external threat intelligence platforms via Teams.
Filter/Exclusion: Exclude messages from known security tool accounts (e.g., [email protected]) or filter by sender domain associated with trusted security vendors.
Scenario: A DevOps team is using Azure DevOps pipelines to send Teams messages to external developers for build status updates.
Filter/Exclusion: Exclude messages sent from service accounts used by CI/CD systems (e.g., [email protected]) or filter by message content containing “build status” or “pipeline”.
Scenario: A customer support team is using Teams to communicate with external clients during a service outage, resulting in a high volume of messages.
Filter/Exclusion: Exclude messages sent to known customer support email addresses (e.g., [email protected]) or filter by message content containing “customer support” or “outage”.