Adversaries may be exploiting Teams admin submission capabilities to manipulate message visibility by submitting false negatives or positives, indicating potential abuse of administrative privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized manipulation of Teams message compliance data.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("1","2","3")
| summarize count() by SubmittedBy
| project SubmittedBy, TeamsMessages = count_
|top 10 by TeamsMessages desc
id: 0a29c9f0-e8d4-4339-a196-52bb3a090a79
name: Top accounts performing Teams admin submissions FN or FP
description: |
This query visualises the top admins performing false negative or false positive admin submissions of Teams messages
description-detailed: |
This query visualises the top admins performing false negative or false positive admin submissions of Teams messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage" and SubmissionType in ("1","2","3")
| summarize count() by SubmittedBy
| project SubmittedBy, TeamsMessages = count_
|top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Compliance Job Submission
Description: A compliance or security team runs a scheduled job to submit Teams messages for audit or retention purposes. This is a legitimate administrative task.
Filter/Exclusion: Exclude submissions that occur during known compliance job windows or have a job_id matching scheduled compliance tasks (e.g., ComplianceJob-TeamsRetention).
Scenario: User-Initiated Message Deletion or Archiving
Description: An admin or user manually deletes or archives messages as part of routine data management or policy enforcement.
Filter/Exclusion: Exclude submissions where the action type is delete or archive, or where the user has a role like Compliance Officer or Data Custodian.
Scenario: Automated Threat Intelligence Integration
Description: A third-party threat intelligence tool automatically submits Teams messages for analysis, such as when detecting potential phishing content.
Filter/Exclusion: Exclude submissions originating from known threat intelligence tools (e.g., CrowdStrike, Microsoft Defender for Cloud) or with a specific source field indicating automated analysis.
Scenario: System-Generated Admin Activity Logs
Description: The Microsoft Teams admin center or Azure AD logs generate admin activity entries as part of normal system operations, such as when a user is added or removed from a team.
Filter/Exclusion: Exclude submissions where the action_type is log_entry or system_event, or where the user_type is system or service_principal.
Scenario: Testing or Simulation of Admin Submissions
Description: An admin performs a test or simulation of a Teams admin submission to validate a detection rule or incident response process.
Filter/Exclusion: Exclude submissions with a test_flag set to true, or where the submission_reason