Teams users are communicating with external users that are flagged as suspicious, indicating potential exfiltration or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could compromise organizational data.
KQL Query
//This query uses MessageEvents to detect bi-directional outbound communication to suspicious external Help Desk\Support representatives
MessageEvents
| where Timestamp > ago(30d)
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
| where IsExternalThread == true
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
id: 389ead4a-6dfe-47e1-9236-165eb08f1017
name: Teams communication to suspicious external users
description: |
This query helps hunt for communication with suspicious external users.
description-detailed: |
This query helps hunt for Teams users communicating with suspicious external users using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query uses MessageEvents to detect bi-directional outbound communication to suspicious external Help Desk\Support representatives
MessageEvents
| where Timestamp > ago(30d)
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
| where IsExternalThread == true
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
version: 1.0.0Scenario: Scheduled Backup Job to External Storage Service
Description: A legitimate scheduled job (e.g., Azure Backup or Veeam) communicates with an external cloud storage service (e.g., AWS S3, Google Cloud Storage) for data backup.
Filter/Exclusion: Exclude communication with known cloud storage services (e.g., aws.amazon.com, storage.googleapis.com) or use a custom list of approved external services.
Scenario: Admin Task to External Support Portal
Description: An admin user (e.g., using Microsoft Teams) communicates with an external support portal (e.g., Microsoft Support, Salesforce) to resolve an issue.
Filter/Exclusion: Exclude communication with known support domains (e.g., support.microsoft.com, salesforce.com) or use a custom list of approved external support domains.
Scenario: Integration with Third-Party SaaS Tool
Description: A Teams channel is used to integrate with a third-party SaaS tool (e.g., ServiceNow, Jira) for incident management or task tracking.
Filter/Exclusion: Exclude communication with known SaaS integration domains (e.g., servicenow.com, atlassian.com) or use a custom list of approved integration domains.
Scenario: User Collaboration with External Partner
Description: A user collaborates with an external partner (e.g., a vendor or client) via Teams, which may involve file sharing or chat.
Filter/Exclusion: Exclude communication with known partner domains (e.g., partner.example.com, client.example.com) or use a custom list of approved external collaboration domains.
Scenario: Automated Monitoring Tool Communication
Description: An automated monitoring tool (e.g., Datadog, Splunk) communicates with Teams to send alerts or notifications.
Filter/Exclusion: Exclude