Adversaries may use ZAPed Teams messages to deliver phishing content, leveraging the trust of legitimate communication channels. SOC teams should proactively hunt for this behavior to identify and mitigate potential phishing campaigns before they lead to credential compromise or data exfiltration.
KQL Query
//Zero-hour auto purge (ZAP) took action on Teams messages containing Phish after delivery
MessagePostDeliveryEvents
| where ActionType == 'Phish ZAP'
id: 9d6594d8-1d0b-42c7-9dab-2a2c1db5c330
name: Teams Phish ZAP
description: |
This query helps hunt for Teams messages with Phish threats that have been ZAPed.
description-detailed: |
This query helps hunt for Teams messages with Phish threats that have been ZAPed, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessagePostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Zero-hour auto purge (ZAP) took action on Teams messages containing Phish after delivery
MessagePostDeliveryEvents
| where ActionType == 'Phish ZAP'
version: 1.0.0Scenario: Scheduled Backup Job Sends Phish-Like Notification
Description: A scheduled backup job sends a Teams message to administrators informing them of a completed backup, which includes a link to a storage location. The link format resembles phishing URLs.
Filter/Exclusion: Exclude messages sent by the “Backup Service” account or filter messages where the sender is a known system account (e.g., backup@domain.com).
Scenario: Admin Sends Test Phishing Message for Training
Description: A security administrator sends a test phishing message to employees via Teams as part of a phishing awareness training exercise. The message includes a malicious-looking link.
Filter/Exclusion: Exclude messages sent by users with the “Security Admin” role or from the “Phishing Training” mailbox (e.g., training@domain.com).
Scenario: Automated Alert from Microsoft Defender for Office 365
Description: Microsoft Defender for Office 365 triggers an alert and sends a Teams message to the security team with a link to the alert details. The link appears suspicious due to its format.
Filter/Exclusion: Exclude messages sent from the “Microsoft Defender for Office 365” service account or filter messages containing specific alert IDs or correlation IDs.
Scenario: User-Initiated File Share with Suspicious Link
Description: A user shares a file via Teams and includes a link to an external storage service. The link is formatted similarly to phishing URLs, but it is a legitimate file share.
Filter/Exclusion: Exclude messages where the sender is a user with “File Sharing” permissions or filter messages containing specific file share URLs or domains.
Scenario: System-Wide Notification for Patch Deployment
Description: A system-wide Teams message is sent by the IT department to notify users about a critical patch deployment. The message includes