Adversaries may impersonate trusted partner domains in Teams messages to gain unauthorized access or exfiltrate data. SOC teams should proactively hunt for this behavior to identify potential spear-phishing or credential theft attempts leveraging trusted external identities.
KQL Query
//This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1 and SenderDisplayName contains "@contoso.com"
id: 39cf1ec6-d460-4760-8a87-7d10577f6205
name: Possible partner impersonation in external Team messages
description: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
description-detailed: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//This query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
MessageEvents
| where IsOwnedThread==0 and IsExternalThread==1 and SenderDisplayName contains "@contoso.com"
version: 1.0.0
Scenario: Internal Teams User with Partner Email in Display Name
Description: An internal user may mistakenly include a partner email domain in their display name (e.g., “John Doe (PartnerEmail@partner.com)”).
Filter/Exclusion: Use a filter to exclude users whose display name contains an email address that matches the internal directory. Example: displayname contains "PartnerEmail@partner.com" and userprincipalname not contains "@partner.com".
Scenario: Scheduled Job Sending Test Messages to Partner Domain
Description: A scheduled job or automation tool (e.g., Power Automate, Azure Logic Apps) may send test messages to a partner domain for validation or reporting.
Filter/Exclusion: Exclude messages sent by known automation tools or scheduled jobs. Example: message.from contains "test@partner.com" and sender is "PowerAutomate@domain.com".
Scenario: Partner User with Internal Email in Display Name
Description: A partner user may have an internal email address in their display name (e.g., “Jane Smith (internal@company.com)”).
Filter/Exclusion: Exclude messages where the sender’s display name includes an internal email address. Example: displayname contains "internal@company.com" and sender is not "internal@company.com".
Scenario: Email Alias for Internal User with Partner Domain
Description: An internal user may have an email alias that includes a partner domain (e.g., “john.doe@partner.com” as an alias for “john.doe@company.com”).
Filter/Exclusion: Exclude messages where the sender’s email address is an alias and matches an internal user. Example: from contains "john.doe@partner.com" and userprincipalname is "john.doe@company.com".
Scenario: Admin Task Using Partner Email for Notification