Top 10 External senders sending Teams phishing messsages

Hunt Hypothesis

Adversaries may use external senders to distribute phishing messages via Teams to compromise user credentials and spread malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.

KQL Query

//This query looking for top 10 External senders sending Team phishing messsages
 MessageEvents
 | where IsOwnedThread==0 and IsExternalThread==1
 | where ThreatTypes has "Phish"
 | summarize Count = count() by SenderEmailAddress
 | top 10 by Count

Analytic Rule Definition

id: 9432f895-763d-4e9b-b9bf-680296ce6c0d
name:  Top 10 External senders sending Teams phishing messsages
description: |
  This query looking for top 10 External senders sending Team phishing messsages.
description-detailed: |
  This query looking for top 10 External senders sending Team phishing messsages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageEvents
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
 //This query looking for top 10 External senders sending Team phishing messsages
  MessageEvents
  | where IsOwnedThread==0 and IsExternalThread==1
  | where ThreatTypes has "Phish"
  | summarize Count = count() by SenderEmailAddress
  | top 10 by Count
version: 1.0.0

MITRE ATT&CK Context

• Tactic: DefenseEvasion
• Technique: T1562 — T1562

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top 10 External senders sending Teams phishing messsages.yaml)

False Positive Guidance

• Scenario: A system administrator is sending a scheduled report via Teams to a group of users using a legitimate external email address.
  Filter/Exclusion: Exclude emails sent from known admin email addresses or those associated with internal domain aliases.

• Scenario: A third-party service (e.g., Microsoft Intune or Azure AD) is sending automated notifications to Teams channels via an external email address.
  Filter/Exclusion: Exclude emails from known Microsoft services or external email addresses associated with Microsoft’s internal systems.

• Scenario: A scheduled backup job is configured to send a Teams message to a monitoring channel using an external email account for automation purposes.
  Filter/Exclusion: Exclude emails sent from known automation or backup email accounts, or those associated with scheduled tasks.

• Scenario: A user is using a personal email account (e.g., Gmail) to collaborate with external partners via Teams, and the email is sent through an external relay.
  Filter/Exclusion: Exclude emails from personal email domains or those that are not associated with the organization’s internal domain.

• Scenario: An internal user is using a Microsoft 365 admin account to send a Teams message to an external partner for business purposes.
  Filter/Exclusion: Exclude emails sent from admin accounts or those that match known internal admin email patterns.