Adversaries may be using admin accounts to submit false positive Teams messages as a tactic to evade detection and mask malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential account compromise or insider threats.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("3")
| summarize count() by P2Sender
| project P2Sender, TeamsMessages = count_
| top 10 by TeamsMessages desc
id: f82f3d63-b7f2-494d-8254-612405702dd4
name: Top 10 senders of Admin Teams message submissions FP
description: |
This query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
description-detailed: |
This query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2Sender=tostring((parse_json(RawEventData)).P2Sender)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("3")
| summarize count() by P2Sender
| project P2Sender, TeamsMessages = count_
| top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Admins using Microsoft Teams to send messages during routine user onboarding or account provisioning tasks.
Filter/Exclusion: Exclude messages sent by users with the “User Admin” or “Global Admin” role, or filter by Teams message content containing keywords like “onboarding”, “provisioning”, or “user creation”.
Scenario: Scheduled backup jobs or system maintenance scripts that generate log messages in Microsoft Teams for monitoring purposes.
Filter/Exclusion: Exclude messages sent by service accounts or automation tools like PowerShell, Azure Automation, or Logic Apps, or filter by message source IP or sender identity.
Scenario: Security team collaboration in Microsoft Teams where admins share incident reports or threat intelligence with other teams.
Filter/Exclusion: Exclude messages from security team channels or specific teams like “Security Operations” or “Incident Response”, or filter by message sender group membership.
Scenario: Automated alerting systems (e.g., Microsoft Sentinel, SIEM tools) sending notifications to Teams for operational alerts or system health checks.
Filter/Exclusion: Exclude messages from SIEM alert sources or automation bots like Microsoft Sentinel Alerting, Splunk, or ELK Stack, or filter by message content containing “alert”, “notification”, or “system health”.
Scenario: Internal knowledge base or documentation sharing via Microsoft Teams where admins post standard operating procedures (SOPs) or technical guides.
Filter/Exclusion: Exclude messages from knowledge base channels or specific teams like “IT Documentation” or “Admin Guides”, or filter by **message