Attack chain<\/h2>\n![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/10\/Teams-threats-attack-chain.webp\")
Figure 1. Attack techniques that abuse Teams along the attack chain<\/figcaption><\/figure>\nReconnaissance<\/h3>\n
Every Teams user account is backed by a Microsoft Entra ID identity<\/a>. Each team member is an Entra ID object<\/a>, and a team is a collection of channel objects. Teams may be configured for the cloud or a hybrid environment and supports multi-tenant organizations (MTO)<\/a> and cross-tenant<\/a> communication and collaboration. There are anonymous<\/a> participants, guests<\/a>, and external access<\/a> users. From an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges. For example, federation tenant configuration<\/a> indicates whether the tenant allows external communication and can be inferred from the API response queries reflecting the effective tenant federation policy.<\/p>\nWhile not unique to Teams, there are open-source frameworks that can specifically be leveraged to enumerate less secure users, groups, and tenants in Teams (mostly by repurposing the Microsoft Graph API<\/a> or gathering DNS), including ROADtools, TeamFiltration, TeamsEnum<\/a>, and MSFT-Recon-RS<\/a>. These tools facilitate enumerating teams, members of teams and channels, tenant IDs and enabled domains, as well as permissiveness for communicating with external organizations and other properties, like presence. Presence<\/a> indicates a user\u2019s current availability and status outside the organization if Privacy mode is not enabled, which could then be exploited if the admin has not disabled<\/a> external meetings and chat with people and organizations outside the organization (or at least limited it to specified external domains).<\/p>\nMany open-source tools are modular Python packages including reusable libraries and classes that can be directly imported or extended to support custom classes, meaning they are also interoperable with other custom open-source reconnaissance and discovery frameworks designed to identify potential misconfigurations.<\/p>\n
Resource development<\/h3>\n
Microsoft continuously enhances protections against fraudulent Microsoft Entra ID Workforce tenants and the abuse of free tenants and trial subscriptions. As these defenses grow stronger, threat actors are forced to invest significantly more resources in their attempts to impersonate trusted users, demonstrating the effectiveness of our layered security approach. . This includes threat actors trying to compromise weakly configured legitimate tenants, or even actually purchasing legitimate ones if they have confidence they could ultimately profit. It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains<\/a> and branding<\/a>, especially if it can lend credibility to impersonating internal help desk, admin, or IT support, which could then be used as a convincing pretext to compromise targets through chat messaging and phone calls. Sophisticated threat actors try to use the very same resources used by trustworthy organizations, such as acquiring multiple tenants for staging development or running separate operations across regions, and using everyday Teams features like scheduling private meetings through chat, and audio, video and screen-sharing capabilities for productivity.<\/p>\nInitial access<\/h3>\n
Tech support scams remain a generally popular pretext for delivery of malicious remote monitoring and management<\/a> (RMM) tools and information-stealing malware, leading<\/a> to credential theft, extortion, and ransomware<\/a>. There are always new variants to bypass security awareness defenses, such as the rise in email bombing<\/a> to create a sense of stress and urgency to restore normalcy. In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution. Meanwhile, Midnight Blizard has successfully impersonated security and technical support teams to get targets to verify their identities under the pretext of protecting their accounts by entering authentication codes that complete the authentication flow for breaking into the accounts.<\/p>\nSimilarly in May, Sophos identified<\/a> a 3AM ransomware (believed to be a rebranding of BlackSuit<\/a>) affiliate adopting techniques from Storm-1811<\/a>, including flooding employees with unwanted emails followed by voice and video calls on Teams impersonating help desk personnel, claiming they needed remote access to stop the flood of junk emails. The threat actor reportedly spoofed the IT organization\u2019s phone number.<\/p>\nWith threat actors leveraging deepfakes<\/a>, perceived authority helps make this kind of social engineering even more effective. Threat actors seeking to spoof automated workflow notifications and interactions can naturally extend to spoofing legitimate bots and agents as they gain more traction, as threat actors are turning to language models to facilitate their objectives.<\/p>\nPrevalent threat actors associated with ransomware campaigns, including the access broker tracked as Storm-1674 have used sophisticated red teaming tools, like TeamsPhisher<\/a>, to distribute DarkGate malware and other malicious payloads over Teams. In December 2024, for example, Trend Micro reported<\/a> an incident in which a threat actor impersonated a client during a Teams call to persuade a target to install AnyDesk. Remote access was reportedly then used also to deploy DarkGate. Threat actors may also just use Teams to gain initial access through drive-by-compromise activity to direct users to malicious websites.<\/p>\nWidely available admin tools, including AADInternals<\/a>, could be leveraged to deliver malicious links and payloads directly into Teams. Teams branding (like any communications brand asset) makes for effective bait, and has been used by adversary-in-the-middle (AiTM) actors like Storm-00485<\/a>. Threat actors could place malicious advertisements in search results for a spoofed app like Teams to misdirect users to a download site hosting credential-stealing malware. In July 2025, for instance, Malwarebytes reported<\/a> observing a malvertising campaign delivering credential-stealing malware through a fake Microsoft Teams for Mac installer.<\/p>\nWhether it is a core app that is part of Teams, an app created by Microsoft, a partner app validated by Microsoft, or a custom app created by your own organization\u2014no matter how secure an app\u2014they could still be spoofed to gain a foothold in a network. And similar to leveraging a trusted brand like Teams, threat actors will also continue to try and take advantage of trusted relationships as well to gain Teams access, whether leveraging an account with access or abusing delegated administrator relationships to reach a target environment.<\/p>\n
Persistence<\/h3>\n
Threat actors employ a variety of persistence techniques to maintain access to target systems\u2014even after defenders attempt to regain control. These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study<\/a>). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access.<\/p>\nPart of the reason device code phishing has been used to access target accounts is that it could enable persistent access for as long as the tokens remain valid. In February, Microsoft reported<\/a> that Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations and initiating Teams chats to build rapport, so that when the targets were prompted to authenticate, they would use Storm-2372-generated device codes, enabling Storm-2372 to steal the authenticated sessions from the valid access tokens.<\/p>\nTeams phishing lures themselves can sometimes be a disguised attempt to help threat actors maintain persistence. For example, in July 2025, the financially motivated Storm-0324 most likely relied on TeamsPhisher to send Teams phishing lures to deliver a custom malware JSSloader for the ransomware operator Sangria Tempest to use as an access vector to maintain a foothold.<\/p>\n
Execution<\/h3>\n
Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try and trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email.<\/p>\n
Privilege escalation<\/h3>\n
If threat actors successfully compromise accounts or register actor-controlled devices, they often times try to change permission groups to escalate privileges. <\/strong>If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.<\/p>\nCredential access<\/h3>\n
With a valid refresh token, actors can impersonate users through Teams APIs. There is no shortage of administrator tools that can be maliciously repurposed, such as AADInternals, to intercept access to tokens with custom phishing flows. Tools like TeamFiltration could be leveraged just like for any other Microsoft 365 service for targeting Teams. If credentials are compromised through password spraying, threat actors use tools like this to request OAuth tokens for Teams and other services. Threat actors continue to try and bypass multifactor authentication (MFA) by repeatedly generating authentication prompts until someone accepts by mistake, and try to compromise MFA by adding alternate phone numbers or intercepting SMS-based codes.<\/p>\n
For instance, the financially motivated threat actor Octo Tempest<\/a> uses aggressive social engineering, including over Teams, to take control of MFA for privileged accounts. They consistently socially engineer help desk personnel, targeting federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains to forge tokens.<\/p>\nDiscovery<\/h3>\n
To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths. For instance, Void Blizzard<\/a> has used AzureHound to enumerate a compromised organization\u2019s Microsoft Entra ID configuration and gather details on users, roles, groups, applications, and devices. In a small number of compromises, the threat actor accessed Teams conversations and messages through the web client. AADInternals can also be used to discover Teams group structures and permissions.<\/p>\nThe state-sponsored actor Peach Sandstorm has delivered malicious ZIP files<\/a> through Teams, then used AD Explorer<\/a> to take snapshots of on-premises Active Directory database and related files.<\/p>\nLateral movement<\/h3>\n
A threat actor that manages to obtain Teams admin access (whether directly or indirectly by purchasing an admin account through a rogue online marketplace) could potentially leverage external communication settings and enable trust relationships between organizations to move laterally. In late 2024, in a campaign dubbed VEILdrive<\/a> <\/em>by Hunters\u2019 Team AXON, the financially motivated cybercriminal threat actors Sangria Tempest and Storm-1674 used previously compromised accounts to impersonate IT personnel and convince a user in another organization through Teams to accept a chat request and grant access through a remote connection.<\/p>\nCollection<\/h3>\n
Threat actors often target Teams to try and collect information from it that could help them to accomplish their objectives, such as to discover collaboration channels or high-privileged accounts. They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint. AADInternals can be used to collect sensitive chat data and user profiles. Post-compromise, GraphRunner<\/a> can leverage the Microsoft Graph API to search all chats and channels and export Teams conversations.<\/p>\nCommand and control<\/h3>\n
Threat actors attempt to deliver malware through file attachments in Teams chats or channels. A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.<\/p>\n
Post-compromise, threat actors can use red teaming tool ConvoC2<\/a> to send commands through Microsoft Teams messages using the Adaptive Card<\/a> framework to embed data in hidden span tags and then exfiltrate using webhooks. But threat actors can also use legitimate remote access tools to try and establish interactive C2 through Teams.<\/p>\nExfiltration<\/h3>\n
Threat actors may use Teams messages or shared links to direct data exfiltration to cloud storage under their control. Tools like TeamFiltration include an exfiltration module that rely on a valid access token to then extract recent contacts and download chats and files through OneDrive or SharePoint.<\/p>\n
Impact<\/h3>\n
Threat actors try to use Teams messages to support financial theft through extortion, social engineering, or technical means.<\/p>\n
Octo Tempest has used communication apps, including Teams to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics. After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.<\/p>\n
Mitigation and protection guidance<\/h2>\nStrengthen identity protection<\/h3>\nHarden endpoint security<\/h3>\n\n- Use configuration analyzer<\/a> to strengthen security posture. Identify and remediate security policies that are less secure than the Standard or Strict protection profiles in preset security policies<\/a>.<\/li>\n
- Keep Teams clients, browsers, OS, and dependencies updated<\/a>.<\/li>\n
- Enable network protection<\/a> and web protection capability<\/a> in Defender for Endpoint.<\/li>\n
- Enable cloud-delivered protection<\/a> in Defender Antivirus. Cloud-delivered protection enables sharing detection status between Microsoft 365 and Defender for Endpoint. Real-time protection blocking<\/a>, including on-access scanning, is not availablewhen Defender Antivirus is running only in passive mode. You can turn on endpoint detection and response (EDR) in block mode<\/a> even if Defender Antivirus isn\u2019t your primary antivirus solution. EDR in block mode detects and remediates malicious items on the device post-breach.<\/li>\n
- Protect security settings from being disabled or changed with tamper protection<\/a>.<\/li>\n
- Require device compliance policies with Conditional Access<\/a>. Enhance conditional access, to the extent available, with real-time enforcement through Continuous Access Evaluation (CAE)<\/a>, so that user session revocation is enforced in near-real time. Teams is supported as a cloud app in Microsoft Entra, so that conditional access policies apply<\/a> when a user signs in. The Teams desktop application supports AppLocker<\/a>, but we recommend using App Control<\/a>, if feasible. Use Defender for Endpoint to enforce device compliance with Microsoft Intune<\/a>.<\/li>\n
- If your organization utilizes another remote support tool such as Remote Help<\/a>, disable or remove Quick Assist as a best practice, if it isn\u2019t used within your environment.<\/li>\n
- Understand and use attack surface reduction<\/a> capabilities in your environment to prevent common techniques used in combination with Teams threat activity as part of your first line of defense. <\/li>\n<\/ul>\n
Secure Teams clients and apps<\/h3>\n
Implementing some of these recommendations will require Teams Administrator permissions<\/a>.<\/p>\nProtect sensitive data<\/strong><\/p>\nRaise awareness<\/strong><\/p>\n\n- Get started using attack simulation training<\/a>. The Teams attack simulation training<\/a> is currently in private preview. Build organizational resilience by raising awareness of QR code phishing, deepfakes including voice, and about protecting your organization from tech support<\/a> and ClickFix<\/a> scams.<\/li>\n
- Train developers to follow best practices<\/a> when working with the Microsoft Graph API. Apply these practices when detecting, defending against, and responding to malicious techniques targeting Teams. <\/li>\n
- Learn more<\/a> about some of the frequent initial access threats impacting SharePoint servers. SharePoint is a front end<\/a> for Microsoft Teams and an attractive target.<\/li>\n<\/ul>\n
Configure detection and response<\/strong><\/p>\n\n- Verify the auditing status<\/a> of your organization in Microsoft Purview to make sure you can investigate incidents. In Threat Explorer, Content malware includes files detected by Safe Attachments for Teams, and URL clicks<\/em> include all user clicks in Teams.<\/li>\n
- Customize<\/a> how users report malicious messages, and then view and triage<\/a> them.\n
\n- If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on in the Defender portal. We encourage you to submit user reported Teams messages to Microsoft here<\/a>.<\/li>\n<\/ul>\n<\/li>\n
- Search the audit log<\/a> for events in Teams.\n
\n- Refer to the table<\/a> listing the Microsoft Teams activities logged in the Microsoft 365 audit log. With the Office 365 Management Activity API<\/a>, you can retrieve information about user, admin, system, and policy actions and events including from Entra activity logs.<\/li>\n<\/ul>\n<\/li>\n
- Familiarize yourself with relevant advanced hunting schema and available tables.\n
\n- Advanced hunting supports guided<\/a> and advanced<\/a> modes. You can use the advanced hunting queries in the advanced hunting section to hunt with these tables for Teams-related threats.<\/li>\n<\/ul>\n
\n- Several tables covering Teams-related threats are available in preview and populated by Defender for Office 365, including MessageEvents<\/a>, MessagePostDeliveryEvents<\/a>, MessageUrlInfo<\/a>, and UrlClickEvents<\/a>. These tables provide visibility into ZAP events and URLs in Teams messages, including allowed or blocked URL clicks in Teams clients. You can join these tables with others to gain more comprehensive insight into the progression of the attack chain and end-to-end threat activity. <\/li>\n<\/ul>\n<\/li>\n
- Connect<\/a> Microsoft 365 to Microsoft Defender for Cloud Apps.\n
\n- To hunt for Teams messages without URLs, use the CloudAppEvents<\/a> table, populated by Defender for Cloud Apps. This table also includes chat monitoring events, meeting and Teams call tracking, and behavioral analytics. To make sure advanced hunting tables are populated by Defender for Cloud Apps data, go to the Defender portal and select Settings > Cloud apps > App connectors. Then, in the Select Microsoft 365 components page, select the Microsoft 365 activities checkbox. Control Microsoft 365 with built-in policies and policy templates<\/a> to detect and notify you about potential threats.<\/li>\n<\/ul>\n<\/li>\n
- Create Defender for Cloud Apps threat detection policies<\/a>.\n
\n- Many of the detection types enabled by default apply to Teams and do not require custom policy creation, including sign-ins from geographically distant locations in a short time, access from a country not previously associated with a user, unexpected admin actions, mass downloads, activity from anonymous IP addresses, or from a device flagged as malware-infected by Defender for Endpoint, as well as Oauth app abuse (when app governance is turned on<\/a>).<\/li>\n<\/ul>\n
\n- Defender for Cloud Apps enables you to identify high-risk use and cloud security issues, detect abnormal user behavior, and prevent threats in your sanctioned cloud apps. You can integrate<\/a> Defender for Cloud Apps with Microsoft Sentinel (preview) or use the supported APIs<\/a>.<\/li>\n<\/ul>\n<\/li>\n
- Detect and remediate illicit consent grants<\/a> in Microsoft 365. <\/li>\n
- Discover and enable the Microsoft Sentinel data lake<\/a> in Defender XDR. Sentinel data lake brings together security logs from data sources like Microsoft Defender and Microsoft Sentinel, Microsoft 365, Microsoft Entra ID, Purview, Intune, Microsoft Resource Graph, firewall and network logs, identity and access logs, DNS, plus sources from hundreds of connectors and solutions, including Microsoft Defender Threat Intelligence<\/a>. Advanced hunting KQL queries<\/a> can be run directly on the data lake. You can analyze the data using Jupyter notebooks<\/a>.<\/li>\n<\/ul>\n
Microsoft Defender detections<\/h2>\n
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\nMicrosoft Defender XDR<\/h3>\n
The following alerts might indicate threat activity associated with this threat.<\/p>\n
\n- Malicious sign in from a risky IP address<\/li>\n
- Malicious sign in from an unusual user agent<\/li>\n
- Account compromised following a password-spray attack<\/li>\n
- Compromised user account identified in Password Spray activity<\/li>\n
- Successful authentication after password spray attack<\/li>\n
- Password Spray detected via suspicious Teams client (TeamFiltration)<\/li>\n<\/ul>\n
Microsoft Entra ID Protection<\/h3>\n
Any type of sign-in and user risk detection<\/a> might also indicate threat activity associated with this threat. An example is listed below. These alerts, however, can be triggered by unrelated threat activity.<\/p>\n\n- Impossible travel<\/li>\n
- Anomalous Microsoft Teams login from web client<\/li>\n<\/ul>\n
Microsoft Defender for Endpoint<\/h3>\n
The following alerts might indicate threat activity associated with this threat.<\/p>\n
\n- Suspicious module loaded using Microsoft Teams<\/li>\n<\/ul>\n
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n
\n- Suspicious usage of remote management software<\/li>\n<\/ul>\n
Microsoft Defender for Office 365<\/h3>\n
The following alerts might indicate threat activity associated with this threat.<\/p>\n
\n- Malicious link shared in Teams chat<\/li>\n
- User clicked a malicious link in Teams chat<\/li>\n<\/ul>\n
When Microsoft Defender for Cloud Apps is enabled, the following alert might indicate threat activity associated with this threat.<\/p>\n
\n- Potentially Malicious IT Support Teams impersonation post mail bombing<\/li>\n<\/ul>\n
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n
\n- A potentially malicious URL click was detected<\/li>\n
- Possible AiTM phishing attempt<\/li>\n<\/ul>\n
Microsoft Defender for Identity<\/h3>\n
The following Microsoft Defender for Identity alerts can indicate associated threat activity:<\/p>\n
\n- Account enumeration reconnaissance<\/li>\n
- Suspicious additions to sensitive groups<\/li>\n
- Account Enumeration reconnaissance (LDAP)<\/li>\n<\/ul>\n
Microsoft Defender for Cloud Apps<\/h3>\n
The following alerts might indicate threat activity associated with this threat.<\/p>\n
\n- Consent granted to application with Microsoft Teams permissions<\/li>\n
- Risky user installed a suspicious application in Microsoft Teams<\/li>\n
- Compromised account signed in to Microsoft Teams<\/li>\n
- Microsoft Teams chat initiated by a suspicious external user<\/li>\n
- Suspicious Teams access via Graph API<\/li>\n<\/ul>\n
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n
\n- Possible mail exfiltration by app<\/li>\n<\/ul>\n
Microsoft Security Copilot<\/h3>\n
Microsoft Security Copilot<\/a> customers can use the Copilot in Defender embedded experience<\/a> to check the impact of this report and get insights based on their environment\u2019s highest exposure level in Threat analytics, Intel profiles, Intel Explorer and Intel projects pages of the Defender portal.<\/p>\nYou can also use Copilot in Defender to speed up analysis of suspicious scripts and command lines<\/a> by inspecting them below the incident graph on an incident page and in the timeline on the Device entity page without using external tools.<\/p>\nThreat intelligence reports<\/h2>\n
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n
Microsoft Defender XDR threat analytics<\/h3>\n
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\nHunting queries<\/h2>\nMicrosoft Defender XDR<\/h3>\n
Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal<\/a>, which include Microsoft Defender XDR and various Microsoft security services.<\/p>\nAfter onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration Kusto Query Language (KQL) queries in the Defender portal. For more information, see KQL queries in the Microsoft Sentinel data lake<\/a>.<\/p>\nYou can design and tweak custom detection rules<\/a> using the advanced hunting queries and set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. You can also link the generated alert to this report so that it appears in the Related incidents<\/a> tab in threat analytics. Custom detection rule can automatically take actions<\/a> on devices, files, users, or emails that are returned by the query. To make sure you\u2019re creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules<\/a>.<\/p>\nDetect potential data exfiltration from Teams<\/strong><\/p>\n\n\nlet timeWindow = 1h; let messageThreshold = 20; let trustedDomains = dynamic([\"trustedpartner.com\", \"anothertrusted.com\"]); CloudAppEvents | where Timestamp > ago(1d) | where ActionType == \"MessageSent\" | where Application == \"Microsoft Teams\" | where isnotempty(AccountObjectId)\n| where tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers) == \"true\" | where tostring(parse_json(RawEventData).CommunicationType) in (\"OneOnOne\", \"GroupChat\") | extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])\n| where RecipientDomain !in (trustedDomains) | extend SenderUPN = tostring(parse_json(RawEventData).UserId)\n| summarize MessageCount = count() by bin(Timestamp, timeWindow), SenderUPN, RecipientDomain\n| where MessageCount > messageThreshold | project Timestamp, MessageCount, SenderUPN, RecipientDomain\n| sort by MessageCount desc <\/pre>\n<\/div>\nDetect mail bombing that sometimes precedes technical support scams on Microsoft Teams<\/strong><\/p>\n\n\nEmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains \"Mail bombing\" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId\n<\/pre>\n<\/div>\nDetect malicious Teams content from <\/strong>MessageEvents<\/strong><\/em><\/p>\n\n\nMessageEvents | where Timestamp > ago(1d) | where ThreatTypes has \"Phish\" \u202f \u202f or ThreatTypes has \"Malware\" \u202f \u202f or ThreatTypes has \"Spam\" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId\n<\/pre>\n<\/div>\nDetect communication with external help desk\/support representatives<\/strong><\/p>\n\n\nMessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails contains \"help\" and RecipientDetails contains \"desk\") or (RecipientDetails contains \"it\" and RecipientDetails contains \"support\") or (RecipientDetails contains \"working\" and RecipientDetails contains \"home\") or (SenderDisplayName contains \"help\" and SenderDisplayName contains \"desk\") or (SenderDisplayName contains \"it\" and SenderDisplayName contains \"support\") or (SenderDisplayName contains \"working\" and SenderDisplayName contains \"home\") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType\n<\/pre>\n<\/div>\nExpand detection of communication with external help desk\/support representatives by searching for linked process executions<\/strong><\/p>\n\n\nlet portableExecutable = pack_array(\"binary.exe\", \"portable.exe\"); let timeAgo = ago(30d);\nMessageEvents | where Timestamp > timeAgo | where IsExternalThread == true | where (RecipientDetails contains \"help\" and RecipientDetails contains \"desk\") or (RecipientDetails contains \"it\" and RecipientDetails contains \"support\") or (RecipientDetails contains \"working\" and RecipientDetails contains \"home\") | summarize spamEvent = min(Timestamp) by SenderEmailAddress | join kind=inner ( DeviceProcessEvents | where Timestamp > timeAgo | where FileName in (portableExecutable) ) on $left.SenderEmailAddress == $right.InitiatingProcessAccountUpn | where spamEvent Timestamp\n<\/pre>\n<\/div>\nSurface Teams threat activity using Microsoft Security Copilot<\/strong><\/p>\nMicrosoft Security Copilot in Microsoft Defender<\/a> comes with a query assistant capability in advanced hunting. You can also run the following prompt in Microsoft Security Copilot pane in the Advanced hunting page or by reopening Copilot from the top of the query editor:<\/p>\n\n\nShow me recent activity in the last 7 days that matches attack techniques described in the Microsoft Teams technique profile. Include relevant alerts, affected users and devices, and generate advanced hunting queries to investigate further.\n<\/pre>\n<\/div>\nMicrosoft Sentinel<\/h3>\n
Possible Teams phishing activity<\/strong><\/p>\nThis query specifically monitors Microsoft Teams for one-on-one chats involving impersonated users (e.g., ‘Help Desk’, ‘Microsoft Security’).<\/p>\n
\n\nlet suspiciousUpns = DeviceProcessEvents | where DeviceId == \"alertedMachine\" | where isnotempty(InitiatingProcessAccountUpn) | project InitiatingProcessAccountUpn; CloudAppEvents | where Application == \"Microsoft Teams\" | where ActionType == \"ChatCreated\" | where isempty(AccountObjectId) | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true | where RawEventData.CommunicationType == \"OneonOne\" | where RawEventData.ParticipantInfo.HasGuestUsers == false | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false | where RawEventData.Members[0].DisplayName in (\"Microsoft Security\", \"Help Desk\", \"Help Desk Team\", \"Help Desk IT\", \"Microsoft Security\", \"office\") | where AccountId has \"@\" | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) | where TargetUPN in (suspiciousUpns)\n<\/pre>\n<\/div>\nFiles uploaded to Teams and access summary<\/strong><\/p>\nThis query identifies files uploaded to Microsoft Teams chat files and their access history, specifically mentioning operations from SharePoint. It allows tracking of potential file collection activity through Teams-related storage.<\/p>\n
\n\nOfficeActivity | where RecordType =~ \"SharePointFileOperation\" | where Operation =~ \"FileUploaded\" | where UserId != \"app@sharepoint\" | where SourceRelativeUrl has \"Microsoft Teams Chat Files\" | join kind= leftouter ( OfficeActivity | where RecordType =~ \"SharePointFileOperation\" | where Operation =~ \"FileDownloaded\" or Operation =~ \"FileAccessed\" | where UserId != \"app@sharepoint\" | where SourceRelativeUrl has \"Microsoft Teams Chat Files\" ) on OfficeObjectId | extend userBag = bag_pack(UserId1, ClientIP1) | summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName | extend NumberUsers = array_length(bag_keys(bag_userBag)) | project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1]) | extend Account_0_Name = AccountName | extend Account_0_UPNSuffix = AccountUPNSuffix\n<\/pre>\n<\/div>\nReferences<\/h2>\nLearn more<\/h2>\n
For the latest security research from the Microsoft Threat Intelligence community, check out ff<\/p>\n
To get notified about new publications and to join discussions on social media, follow us on LinkedIn<\/a>, X (formerly Twitter)<\/a>, and Bluesky<\/a>.<\/p>\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast<\/a>.<\/p>\n
Reconnaissance<\/h3>\n
Every Teams user account is backed by a Microsoft Entra ID identity<\/a>. Each team member is an Entra ID object<\/a>, and a team is a collection of channel objects. Teams may be configured for the cloud or a hybrid environment and supports multi-tenant organizations (MTO)<\/a> and cross-tenant<\/a> communication and collaboration. There are anonymous<\/a> participants, guests<\/a>, and external access<\/a> users. From an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges. For example, federation tenant configuration<\/a> indicates whether the tenant allows external communication and can be inferred from the API response queries reflecting the effective tenant federation policy.<\/p>\n While not unique to Teams, there are open-source frameworks that can specifically be leveraged to enumerate less secure users, groups, and tenants in Teams (mostly by repurposing the Microsoft Graph API<\/a> or gathering DNS), including ROADtools, TeamFiltration, TeamsEnum<\/a>, and MSFT-Recon-RS<\/a>. These tools facilitate enumerating teams, members of teams and channels, tenant IDs and enabled domains, as well as permissiveness for communicating with external organizations and other properties, like presence. Presence<\/a> indicates a user\u2019s current availability and status outside the organization if Privacy mode is not enabled, which could then be exploited if the admin has not disabled<\/a> external meetings and chat with people and organizations outside the organization (or at least limited it to specified external domains).<\/p>\n Many open-source tools are modular Python packages including reusable libraries and classes that can be directly imported or extended to support custom classes, meaning they are also interoperable with other custom open-source reconnaissance and discovery frameworks designed to identify potential misconfigurations.<\/p>\n Microsoft continuously enhances protections against fraudulent Microsoft Entra ID Workforce tenants and the abuse of free tenants and trial subscriptions. As these defenses grow stronger, threat actors are forced to invest significantly more resources in their attempts to impersonate trusted users, demonstrating the effectiveness of our layered security approach. . This includes threat actors trying to compromise weakly configured legitimate tenants, or even actually purchasing legitimate ones if they have confidence they could ultimately profit. It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains<\/a> and branding<\/a>, especially if it can lend credibility to impersonating internal help desk, admin, or IT support, which could then be used as a convincing pretext to compromise targets through chat messaging and phone calls. Sophisticated threat actors try to use the very same resources used by trustworthy organizations, such as acquiring multiple tenants for staging development or running separate operations across regions, and using everyday Teams features like scheduling private meetings through chat, and audio, video and screen-sharing capabilities for productivity.<\/p>\n Tech support scams remain a generally popular pretext for delivery of malicious remote monitoring and management<\/a> (RMM) tools and information-stealing malware, leading<\/a> to credential theft, extortion, and ransomware<\/a>. There are always new variants to bypass security awareness defenses, such as the rise in email bombing<\/a> to create a sense of stress and urgency to restore normalcy. In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution. Meanwhile, Midnight Blizard has successfully impersonated security and technical support teams to get targets to verify their identities under the pretext of protecting their accounts by entering authentication codes that complete the authentication flow for breaking into the accounts.<\/p>\n Similarly in May, Sophos identified<\/a> a 3AM ransomware (believed to be a rebranding of BlackSuit<\/a>) affiliate adopting techniques from Storm-1811<\/a>, including flooding employees with unwanted emails followed by voice and video calls on Teams impersonating help desk personnel, claiming they needed remote access to stop the flood of junk emails. The threat actor reportedly spoofed the IT organization\u2019s phone number.<\/p>\n With threat actors leveraging deepfakes<\/a>, perceived authority helps make this kind of social engineering even more effective. Threat actors seeking to spoof automated workflow notifications and interactions can naturally extend to spoofing legitimate bots and agents as they gain more traction, as threat actors are turning to language models to facilitate their objectives.<\/p>\n Prevalent threat actors associated with ransomware campaigns, including the access broker tracked as Storm-1674 have used sophisticated red teaming tools, like TeamsPhisher<\/a>, to distribute DarkGate malware and other malicious payloads over Teams. In December 2024, for example, Trend Micro reported<\/a> an incident in which a threat actor impersonated a client during a Teams call to persuade a target to install AnyDesk. Remote access was reportedly then used also to deploy DarkGate. Threat actors may also just use Teams to gain initial access through drive-by-compromise activity to direct users to malicious websites.<\/p>\n Widely available admin tools, including AADInternals<\/a>, could be leveraged to deliver malicious links and payloads directly into Teams. Teams branding (like any communications brand asset) makes for effective bait, and has been used by adversary-in-the-middle (AiTM) actors like Storm-00485<\/a>. Threat actors could place malicious advertisements in search results for a spoofed app like Teams to misdirect users to a download site hosting credential-stealing malware. In July 2025, for instance, Malwarebytes reported<\/a> observing a malvertising campaign delivering credential-stealing malware through a fake Microsoft Teams for Mac installer.<\/p>\n Whether it is a core app that is part of Teams, an app created by Microsoft, a partner app validated by Microsoft, or a custom app created by your own organization\u2014no matter how secure an app\u2014they could still be spoofed to gain a foothold in a network. And similar to leveraging a trusted brand like Teams, threat actors will also continue to try and take advantage of trusted relationships as well to gain Teams access, whether leveraging an account with access or abusing delegated administrator relationships to reach a target environment.<\/p>\n Threat actors employ a variety of persistence techniques to maintain access to target systems\u2014even after defenders attempt to regain control. These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study<\/a>). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access.<\/p>\n Part of the reason device code phishing has been used to access target accounts is that it could enable persistent access for as long as the tokens remain valid. In February, Microsoft reported<\/a> that Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations and initiating Teams chats to build rapport, so that when the targets were prompted to authenticate, they would use Storm-2372-generated device codes, enabling Storm-2372 to steal the authenticated sessions from the valid access tokens.<\/p>\n Teams phishing lures themselves can sometimes be a disguised attempt to help threat actors maintain persistence. For example, in July 2025, the financially motivated Storm-0324 most likely relied on TeamsPhisher to send Teams phishing lures to deliver a custom malware JSSloader for the ransomware operator Sangria Tempest to use as an access vector to maintain a foothold.<\/p>\n Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try and trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email.<\/p>\n If threat actors successfully compromise accounts or register actor-controlled devices, they often times try to change permission groups to escalate privileges. <\/strong>If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.<\/p>\n With a valid refresh token, actors can impersonate users through Teams APIs. There is no shortage of administrator tools that can be maliciously repurposed, such as AADInternals, to intercept access to tokens with custom phishing flows. Tools like TeamFiltration could be leveraged just like for any other Microsoft 365 service for targeting Teams. If credentials are compromised through password spraying, threat actors use tools like this to request OAuth tokens for Teams and other services. Threat actors continue to try and bypass multifactor authentication (MFA) by repeatedly generating authentication prompts until someone accepts by mistake, and try to compromise MFA by adding alternate phone numbers or intercepting SMS-based codes.<\/p>\n For instance, the financially motivated threat actor Octo Tempest<\/a> uses aggressive social engineering, including over Teams, to take control of MFA for privileged accounts. They consistently socially engineer help desk personnel, targeting federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains to forge tokens.<\/p>\n To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths. For instance, Void Blizzard<\/a> has used AzureHound to enumerate a compromised organization\u2019s Microsoft Entra ID configuration and gather details on users, roles, groups, applications, and devices. In a small number of compromises, the threat actor accessed Teams conversations and messages through the web client. AADInternals can also be used to discover Teams group structures and permissions.<\/p>\n The state-sponsored actor Peach Sandstorm has delivered malicious ZIP files<\/a> through Teams, then used AD Explorer<\/a> to take snapshots of on-premises Active Directory database and related files.<\/p>\n A threat actor that manages to obtain Teams admin access (whether directly or indirectly by purchasing an admin account through a rogue online marketplace) could potentially leverage external communication settings and enable trust relationships between organizations to move laterally. In late 2024, in a campaign dubbed VEILdrive<\/a> <\/em>by Hunters\u2019 Team AXON, the financially motivated cybercriminal threat actors Sangria Tempest and Storm-1674 used previously compromised accounts to impersonate IT personnel and convince a user in another organization through Teams to accept a chat request and grant access through a remote connection.<\/p>\n Threat actors often target Teams to try and collect information from it that could help them to accomplish their objectives, such as to discover collaboration channels or high-privileged accounts. They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint. AADInternals can be used to collect sensitive chat data and user profiles. Post-compromise, GraphRunner<\/a> can leverage the Microsoft Graph API to search all chats and channels and export Teams conversations.<\/p>\n Threat actors attempt to deliver malware through file attachments in Teams chats or channels. A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.<\/p>\n Post-compromise, threat actors can use red teaming tool ConvoC2<\/a> to send commands through Microsoft Teams messages using the Adaptive Card<\/a> framework to embed data in hidden span tags and then exfiltrate using webhooks. But threat actors can also use legitimate remote access tools to try and establish interactive C2 through Teams.<\/p>\n Threat actors may use Teams messages or shared links to direct data exfiltration to cloud storage under their control. Tools like TeamFiltration include an exfiltration module that rely on a valid access token to then extract recent contacts and download chats and files through OneDrive or SharePoint.<\/p>\n Threat actors try to use Teams messages to support financial theft through extortion, social engineering, or technical means.<\/p>\n Octo Tempest has used communication apps, including Teams to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics. After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.<\/p>\n Implementing some of these recommendations will require Teams Administrator permissions<\/a>.<\/p>\n Protect sensitive data<\/strong><\/p>\n Raise awareness<\/strong><\/p>\n Configure detection and response<\/strong><\/p>\n Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n The following alerts might indicate threat activity associated with this threat.<\/p>\n Any type of sign-in and user risk detection<\/a> might also indicate threat activity associated with this threat. An example is listed below. These alerts, however, can be triggered by unrelated threat activity.<\/p>\n The following alerts might indicate threat activity associated with this threat.<\/p>\n The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n The following alerts might indicate threat activity associated with this threat.<\/p>\n When Microsoft Defender for Cloud Apps is enabled, the following alert might indicate threat activity associated with this threat.<\/p>\n The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n The following Microsoft Defender for Identity alerts can indicate associated threat activity:<\/p>\n The following alerts might indicate threat activity associated with this threat.<\/p>\n The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n Microsoft Security Copilot<\/a> customers can use the Copilot in Defender embedded experience<\/a> to check the impact of this report and get insights based on their environment\u2019s highest exposure level in Threat analytics, Intel profiles, Intel Explorer and Intel projects pages of the Defender portal.<\/p>\n You can also use Copilot in Defender to speed up analysis of suspicious scripts and command lines<\/a> by inspecting them below the incident graph on an incident page and in the timeline on the Device entity page without using external tools.<\/p>\n Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal<\/a>, which include Microsoft Defender XDR and various Microsoft security services.<\/p>\n After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration Kusto Query Language (KQL) queries in the Defender portal. For more information, see KQL queries in the Microsoft Sentinel data lake<\/a>.<\/p>\n You can design and tweak custom detection rules<\/a> using the advanced hunting queries and set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. You can also link the generated alert to this report so that it appears in the Related incidents<\/a> tab in threat analytics. Custom detection rule can automatically take actions<\/a> on devices, files, users, or emails that are returned by the query. To make sure you\u2019re creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules<\/a>.<\/p>\n Detect potential data exfiltration from Teams<\/strong><\/p>\n Detect mail bombing that sometimes precedes technical support scams on Microsoft Teams<\/strong><\/p>\n Detect malicious Teams content from <\/strong>MessageEvents<\/strong><\/em><\/p>\n Detect communication with external help desk\/support representatives<\/strong><\/p>\n Expand detection of communication with external help desk\/support representatives by searching for linked process executions<\/strong><\/p>\n Surface Teams threat activity using Microsoft Security Copilot<\/strong><\/p>\n Microsoft Security Copilot in Microsoft Defender<\/a> comes with a query assistant capability in advanced hunting. You can also run the following prompt in Microsoft Security Copilot pane in the Advanced hunting page or by reopening Copilot from the top of the query editor:<\/p>\n Possible Teams phishing activity<\/strong><\/p>\n This query specifically monitors Microsoft Teams for one-on-one chats involving impersonated users (e.g., ‘Help Desk’, ‘Microsoft Security’).<\/p>\n Files uploaded to Teams and access summary<\/strong><\/p>\n This query identifies files uploaded to Microsoft Teams chat files and their access history, specifically mentioning operations from SharePoint. It allows tracking of potential file collection activity through Teams-related storage.<\/p>\n For the latest security research from the Microsoft Threat Intelligence community, check out ff<\/p>\n To get notified about new publications and to join discussions on social media, follow us on LinkedIn<\/a>, X (formerly Twitter)<\/a>, and Bluesky<\/a>.<\/p>\n To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast<\/a>.<\/p>\nResource development<\/h3>\n
Initial access<\/h3>\n
Persistence<\/h3>\n
Execution<\/h3>\n
Privilege escalation<\/h3>\n
Credential access<\/h3>\n
Discovery<\/h3>\n
Lateral movement<\/h3>\n
Collection<\/h3>\n
Command and control<\/h3>\n
Exfiltration<\/h3>\n
Impact<\/h3>\n
Mitigation and protection guidance<\/h2>\n
Strengthen identity protection<\/h3>\n
Harden endpoint security<\/h3>\n
\n
Secure Teams clients and apps<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Microsoft Defender detections<\/h2>\n
Microsoft Defender XDR<\/h3>\n
\n
Microsoft Entra ID Protection<\/h3>\n
\n
Microsoft Defender for Endpoint<\/h3>\n
\n
\n
Microsoft Defender for Office 365<\/h3>\n
\n
\n
\n
Microsoft Defender for Identity<\/h3>\n
\n
Microsoft Defender for Cloud Apps<\/h3>\n
\n
\n
Microsoft Security Copilot<\/h3>\n
Threat intelligence reports<\/h2>\n
Microsoft Defender XDR threat analytics<\/h3>\n
Hunting queries<\/h2>\n
Microsoft Defender XDR<\/h3>\n
\nlet timeWindow = 1h; let messageThreshold = 20; let trustedDomains = dynamic([\"trustedpartner.com\", \"anothertrusted.com\"]); CloudAppEvents | where Timestamp > ago(1d) | where ActionType == \"MessageSent\" | where Application == \"Microsoft Teams\" | where isnotempty(AccountObjectId)\n| where tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers) == \"true\" | where tostring(parse_json(RawEventData).CommunicationType) in (\"OneOnOne\", \"GroupChat\") | extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])\n| where RecipientDomain !in (trustedDomains) | extend SenderUPN = tostring(parse_json(RawEventData).UserId)\n| summarize MessageCount = count() by bin(Timestamp, timeWindow), SenderUPN, RecipientDomain\n| where MessageCount > messageThreshold | project Timestamp, MessageCount, SenderUPN, RecipientDomain\n| sort by MessageCount desc <\/pre>\n<\/div>\n
\nEmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains \"Mail bombing\" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId\n<\/pre>\n<\/div>\n
\nMessageEvents | where Timestamp > ago(1d) | where ThreatTypes has \"Phish\" \u202f \u202f or ThreatTypes has \"Malware\" \u202f \u202f or ThreatTypes has \"Spam\" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId\n<\/pre>\n<\/div>\n
\nMessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails contains \"help\" and RecipientDetails contains \"desk\") or (RecipientDetails contains \"it\" and RecipientDetails contains \"support\") or (RecipientDetails contains \"working\" and RecipientDetails contains \"home\") or (SenderDisplayName contains \"help\" and SenderDisplayName contains \"desk\") or (SenderDisplayName contains \"it\" and SenderDisplayName contains \"support\") or (SenderDisplayName contains \"working\" and SenderDisplayName contains \"home\") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType\n<\/pre>\n<\/div>\n
\nlet portableExecutable = pack_array(\"binary.exe\", \"portable.exe\"); let timeAgo = ago(30d);\nMessageEvents | where Timestamp > timeAgo | where IsExternalThread == true | where (RecipientDetails contains \"help\" and RecipientDetails contains \"desk\") or (RecipientDetails contains \"it\" and RecipientDetails contains \"support\") or (RecipientDetails contains \"working\" and RecipientDetails contains \"home\") | summarize spamEvent = min(Timestamp) by SenderEmailAddress | join kind=inner ( DeviceProcessEvents | where Timestamp > timeAgo | where FileName in (portableExecutable) ) on $left.SenderEmailAddress == $right.InitiatingProcessAccountUpn | where spamEvent Timestamp\n<\/pre>\n<\/div>\n
\nShow me recent activity in the last 7 days that matches attack techniques described in the Microsoft Teams technique profile. Include relevant alerts, affected users and devices, and generate advanced hunting queries to investigate further.\n<\/pre>\n<\/div>\n
Microsoft Sentinel<\/h3>\n
\nlet suspiciousUpns = DeviceProcessEvents | where DeviceId == \"alertedMachine\" | where isnotempty(InitiatingProcessAccountUpn) | project InitiatingProcessAccountUpn; CloudAppEvents | where Application == \"Microsoft Teams\" | where ActionType == \"ChatCreated\" | where isempty(AccountObjectId) | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true | where RawEventData.CommunicationType == \"OneonOne\" | where RawEventData.ParticipantInfo.HasGuestUsers == false | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false | where RawEventData.Members[0].DisplayName in (\"Microsoft Security\", \"Help Desk\", \"Help Desk Team\", \"Help Desk IT\", \"Microsoft Security\", \"office\") | where AccountId has \"@\" | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) | where TargetUPN in (suspiciousUpns)\n<\/pre>\n<\/div>\n
\nOfficeActivity | where RecordType =~ \"SharePointFileOperation\" | where Operation =~ \"FileUploaded\" | where UserId != \"app@sharepoint\" | where SourceRelativeUrl has \"Microsoft Teams Chat Files\" | join kind= leftouter ( OfficeActivity | where RecordType =~ \"SharePointFileOperation\" | where Operation =~ \"FileDownloaded\" or Operation =~ \"FileAccessed\" | where UserId != \"app@sharepoint\" | where SourceRelativeUrl has \"Microsoft Teams Chat Files\" ) on OfficeObjectId | extend userBag = bag_pack(UserId1, ClientIP1) | summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName | extend NumberUsers = array_length(bag_keys(bag_userBag)) | project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1]) | extend Account_0_Name = AccountName | extend Account_0_UPNSuffix = AccountUPNSuffix\n<\/pre>\n<\/div>\n
References<\/h2>\n
Learn more<\/h2>\n