Teams Malware ZAP

Hunt Hypothesis

Adversaries may use Teams to exfiltrate data or deploy malware by leveraging ZAPed messages to bypass traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts hidden within legitimate messaging traffic.

KQL Query

//Zero-hour auto purge (ZAP) took action on Teams messages containing Malware after delivery.
MessagePostDeliveryEvents
| where ActionType == 'Malware ZAP' 

Analytic Rule Definition

id: dc961519-a3d3-4b95-8459-982858f0cca6
name: Teams Malware ZAP
description: |
  This query helps hunt for Teams messages with Malware threats that have been ZAPed.
description-detailed: |
  This query helps hunt for Teams messages with Malware threats that have been ZAPed, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessagePostDeliveryEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Zero-hour auto purge (ZAP) took action on Teams messages containing Malware after delivery.
  MessagePostDeliveryEvents
  | where ActionType == 'Malware ZAP' 
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams Malware ZAP .yaml)

False Positive Guidance

• Scenario: Scheduled Backup Job Sends Malware-Related Message
  Description: A scheduled backup job uses a script to send a message to a Teams channel with a file attachment that contains a false positive malware signature (e.g., a backup file named malware.exe).
  Filter/Exclusion: Exclude messages sent by the backup-scheduler service or any process with the command line containing backup or snapshot.

• Scenario: Admin Sends Test Message with Malware-Related Payload
  Description: An admin sends a test message to a Teams channel using PowerShell or the Microsoft Graph API, including a file named test-malware.exe for testing purposes.
  Filter/Exclusion: Exclude messages sent by users with the admin or security-team role, or filter by the sender’s email domain (e.g., @example.com).

• Scenario: Automated Compliance Scan Uploads Malware-Related Files
  Description: A compliance tool like Microsoft Purview or Microsoft Defender for Cloud uploads a file named malware-sample.exe to a Teams channel as part of a scan or audit process.
  Filter/Exclusion: Exclude files uploaded by the Microsoft Purview or Defender for Cloud service, or filter based on the file’s hash or known benign file types.

• Scenario: User Sends a File with a Known False Positive Signature
  Description: A user sends a file named malware.exe to a Teams channel, which is a known false positive (e.g., a legitimate system file or a test file used in internal security training).
  Filter/Exclusion: Exclude files with specific file names or hashes known to be false positives, or filter by the user’s department (e.g., training, security-team).

• **Scenario: Integration with Third-Party Security Tools