Adversaries may use Teams post delivery events to exfiltrate data or establish command and control by leveraging legitimate messaging infrastructure. SOC teams should proactively hunt for this behavior to identify potential data exfiltration or C2 activity hidden within normal Teams communication patterns.
KQL Query
//Teams post delivery ZAP events daily trend
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
MessagePostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP"
| make-series ZappedTeamsMessages = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: ceea323e-89c9-4594-9fe7-c3075c1b051d
name: Teams post delivery events daily trend
description: |
This query visualizes the daily amount of post delivery events on Teams messages.
description-detailed: |
This query visualizes the daily amount of post delivery events on Teams messages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessagePostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Teams post delivery ZAP events daily trend
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
MessagePostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP"
| make-series ZappedTeamsMessages = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0Scenario: Scheduled backup or migration tool processing Teams messages
Description: A third-party tool (e.g., Microsoft 365 Backup, Veeam, or a custom migration script) is processing Teams messages as part of a scheduled backup or migration task, generating post delivery events.
Filter/Exclusion: Exclude events where the source is a known backup/migration tool (e.g., source = "Microsoft 365 Backup" or source = "Veeam"), or filter by the user_principal_name of the backup service account.
Scenario: Automated compliance or audit tool scanning Teams messages
Description: A compliance tool (e.g., Microsoft Purview, Symantec, or a custom script) is scanning Teams messages for policy violations or audit purposes, which results in post delivery events.
Filter/Exclusion: Exclude events where the source is a compliance tool (e.g., source = "Microsoft Purview"), or filter by the user_principal_name of the compliance service account.
Scenario: Daily report generation or analytics tool processing Teams data
Description: An internal analytics tool (e.g., Power BI, Tableau, or a custom ETL process) is pulling data from Teams for reporting, which may trigger post delivery events.
Filter/Exclusion: Exclude events where the source is an internal analytics tool (e.g., source = "Power BI" or source = "Custom ETL"), or filter by the user_principal_name of the analytics service account.
Scenario: Teams message archiving or retention policy execution
Description: Microsoft Teams’ built-in retention policies or third-party archiving tools (e.g., Retention Policies in Microsoft 365) are moving messages to archive, which may generate post delivery events