Suspicious Teams Display Name

Hunt Hypothesis

Adversaries may use misleading display names in Teams to impersonate legitimate users and gain trust for phishing or credential theft. SOC teams should proactively hunt for this behavior to identify potential identity spoofing and early-stage compromise attempts in their Azure Sentinel environment.

KQL Query

let SuspiciousDisplayNames = pack_array("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "IT Support", "Helpdesk");
MessageEvents
| where IsExternalThread == 1 and IsOwnedThread == 0
| where SenderDisplayName has_any (SuspiciousDisplayNames)

Analytic Rule Definition

id: 97e1c837-2cef-4f43-a87f-11f16e33ee8d
name: Suspicious Teams Display Name
description: |
  This query looks for Teams messages from an external user with a suspicious display name.
description-detailed: |
  This query looks for Teams messages from an external user with a suspicious display name.
  Threat actors may attempt to socially engineer a user by using display names such as IT Support or Help Desk to establish trust.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let SuspiciousDisplayNames = pack_array("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "IT Support", "Helpdesk");
  MessageEvents
  | where IsExternalThread == 1 and IsOwnedThread == 0
  | where SenderDisplayName has_any (SuspiciousDisplayNames)
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Suspicious Teams Display Name.yaml)

False Positive Guidance

• Scenario: A system administrator uses a temporary display name while troubleshooting an issue with Microsoft Teams.
  Filter/Exclusion: Exclude messages where the sender is a known admin or has a role-based identifier (e.g., @admin, @support, @IT).
  Example Filter: sender_display_name: "*@admin*" or sender_display_name: "*@support*"

• Scenario: A scheduled job or automation tool (e.g., Azure DevOps, Jenkins) sends a message to a Teams channel with a generic or placeholder display name.
  Filter/Exclusion: Exclude messages from known automation tools or services (e.g., sender_display_name: "*Azure DevOps*", sender_display_name: "*Jenkins*")
  Example Filter: sender_display_name: "*Azure DevOps*" or sender_display_name: "*Jenkins*"

• Scenario: A user is testing a new Teams integration (e.g., Power Automate, Microsoft Flow) and uses a test display name.
  Filter/Exclusion: Exclude messages from known test environments or test users (e.g., sender_display_name: "*TestUser*", sender_display_name: "*Power Automate*")
  Example Filter: sender_display_name: "*TestUser*" or sender_display_name: "*Power Automate*"

• Scenario: A user is using a third-party tool (e.g., Slack, Microsoft Teams integration with Zoom) that displays the user’s real name in Teams.
  Filter/Exclusion: Exclude messages where the sender is a known third-party service or tool (e.g., sender_display_name: "*Zoom*", sender_display_name: "*Slack*")
  Example Filter: sender_display_name: "*Zoom*" or sender_display_name: "*Slack*"

• Scenario: A user is using a personal Microsoft account (e