Adversaries may use external malicious senders to deliver phishing or malware via Teams messages to compromise organizational accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential spear-phishing or credential theft campaigns early.
KQL Query
//Top external senders sending malicious inbound Teams messages Spam, Phish, Malware
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1 and ThreatTypes !='' and Timestamp > ago(30d)
| summarize count() by SenderEmailAddress, ThreatTypes
| sort by count_ desc
id: 164a77d1-3952-451f-ba30-b4a43804fd8a
name: Top External malicious Senders
description: |
Top external senders sending malicious inbound Teams messages Spam, Phish, Malware
description-detailed: |
This query helps hunt for top external senders sending malicious inbound Teams messages Spam, Phish, Malware, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Top external senders sending malicious inbound Teams messages Spam, Phish, Malware
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1 and ThreatTypes !='' and Timestamp > ago(30d)
| summarize count() by SenderEmailAddress, ThreatTypes
| sort by count_ desc
version: 1.0.0Scenario: Scheduled Backup Job Sending to External Archive Service
Description: A scheduled backup job uses a script or tool like rsync or Veeam to send backup data to an external archive service. This may be flagged as an external sender sending “malicious” content if the archive service is misclassified.
Filter/Exclusion: Exclude IP addresses or domains associated with known backup services (e.g., archive.org, backup4all.com) or use a custom field like sender_type = "backup".
Scenario: Admin Task Sending Reports to External Monitoring Tool
Description: An admin task, such as a PowerShell script or a tool like Splunk or Datadog, sends system reports or logs to an external monitoring service. This could be flagged as suspicious if the external service is not properly whitelisted.
Filter/Exclusion: Exclude senders with a known admin role or use a field like sender_role = "admin" or tool_name = "Splunk".
Scenario: Automated Email Notification from External Collaboration Tool
Description: A tool like Microsoft Teams or Slack sends automated notifications or alerts to an external email address (e.g., a support team or external partner). These emails may be flagged as “malicious” due to their content or sender context.
Filter/Exclusion: Exclude emails sent from known collaboration tools using a field like tool_name = "Microsoft Teams" or sender_domain = "teams.microsoft.com".
Scenario: User-Initiated File Sharing via External Cloud Storage
Description: A user shares files via an external cloud storage service like Google Drive or Dropbox using a Teams or Outlook integration. The file transfer may be flagged as “malicious” due to the method of transfer.
*Filter/Ex