Adversaries may use rare domains in external Teams messages to evade detection and establish covert communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration or command-and-control activities that leverage Microsoft Teams for lateral movement or data theft.
KQL Query
let lookback = 1d;
// External Teams messages
let externalMsgs =
MessageEvents
| where Timestamp > ago(lookback) and IsExternalThread == true
| project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId;
// URLs found in Teams messages
let urlsInMsgs =
MessageUrlInfo
| where Timestamp > ago(lookback)
| project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId;
// Clicks coming from Teams
let clicks =
UrlClickEvents
| where Timestamp > ago(lookback) and Workload == "Teams"
| project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId;
// Define "rare" domains in the period
let rareDomains =
urlsInMsgs
| summarize msgCount = dcount(TeamsMessageId) by UrlDomain
| where msgCount < 3;
rareDomains
| join kind=inner (urlsInMsgs) on UrlDomain
| join kind=leftouter (externalMsgs) on TeamsMessageId
| join kind=leftouter (clicks) on Url
| project
Timestamp = coalesce(ClickTime, MUI_Time, MsgTime),
UrlDomain,
Url,
SenderEmailAddress,
Clicker,
ClickTime,
ClickAction,
TeamsMessageId,
ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId)
id: d4dd8c3f-d62b-4078-9dc7-8520c3adf1d5
name: Rare Domains in External Teams Messages
description: Detects rare domains (seen in fewer than 3 Teams messages) appearing in external Microsoft Teams threads within the last 24 hours.
description-detailed: >
This query detects uncommon domains shared through external Microsoft Teams
message threads. Domains are classified as "rare" if they appear in fewer than 3
messages across your entire Teams environment, then filtered to show only those
appearing in external (cross-organization) threads. Results include sender
information, full URLs, and any user click actions from Teams, helping analysts
identify potential phishing attempts or social engineering targeting external
collaboration channels.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
- MessageUrlInfo
- UrlClickEvents
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1566
- T1204
query: |
let lookback = 1d;
// External Teams messages
let externalMsgs =
MessageEvents
| where Timestamp > ago(lookback) and IsExternalThread == true
| project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId;
// URLs found in Teams messages
let urlsInMsgs =
MessageUrlInfo
| where Timestamp > ago(lookback)
| project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId;
// Clicks coming from Teams
let clicks =
UrlClickEvents
| where Timestamp > ago(lookback) and Workload == "Teams"
| project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId;
// Define "rare" domains in the period
let rareDomains =
urlsInMsgs
| summarize msgCount = dcount(TeamsMessageId) by UrlDomain
| where msgCount < 3;
rareDomains
| join kind=inner (urlsInMsgs) on UrlDomain
| join kind=leftouter (externalMsgs) on TeamsMessageId
| join kind=leftouter (clicks) on Url
| project
Timestamp = coalesce(ClickTime, MUI_Time, MsgTime),
UrlDomain,
Url,
SenderEmailAddress,
Clicker,
ClickTime,
ClickAction,
TeamsMessageId,
ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Tool Sending Emails to External Teams
Description: A backup tool (e.g., Veeam, Acronis) sends periodic status updates to an external Teams channel for monitoring purposes.
Filter/Exclusion: Exclude domains associated with backup tools using a regex pattern or IP-based filtering (e.g., backup-tool.com, veeam.com).
Scenario: Internal User Testing with External Teams Bot
Description: A user is testing an internal Teams bot that communicates with an external service (e.g., a customer support platform like Zendesk or Freshdesk).
Filter/Exclusion: Exclude domains associated with known internal testing environments or bots (e.g., zendesk.com, freshdesk.com) using a custom domain list or IP whitelisting.
Scenario: Automated Reporting Tool Sending to External Teams
Description: An automated reporting tool (e.g., Power BI, Tableau) sends reports to an external Teams channel for stakeholder review.
Filter/Exclusion: Exclude domains used by reporting tools using a domain list or by marking the sender as a trusted external domain in Microsoft 365 admin settings.
Scenario: User Error in External Teams Message
Description: A user accidentally sends a message with an incorrect or temporary domain (e.g., a typo in an email address) to an external Teams thread.
Filter/Exclusion: Exclude domains with common typos or short-lived domains using a custom exclusion list or by filtering messages with low confidence scores.
Scenario: Integration with Third-Party SaaS Tool
Description: An internal tool (e.g., ServiceNow, Jira) integrates with Microsoft Teams and sends notifications to an external domain (e.g., servicenow.com).
Filter/Exclusion: Exclude domains used by third-party SaaS tools by