Teams Spam ZAP

Hunt Hypothesis

Adversaries may use Teams to spam ZAPed messages as part of a phishing or credential harvesting campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or lateral movement attempts.

KQL Query

//Zero-hour auto purge (ZAP) took action on Teams messages containing Spam after delivery
MessagePostDeliveryEvents
| where ActionType == 'Spam ZAP' 

Analytic Rule Definition

id: f9e101e9-a71c-4ed5-a248-31965fe6ace6
name: Teams Spam ZAP
description: |
  This query helps hunt for Teams messages with Spam threats that have been ZAPed.
description-detailed: |
  This query helps hunt for Teams messages with Spam threats that have been ZAPed, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessagePostDeliveryEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Zero-hour auto purge (ZAP) took action on Teams messages containing Spam after delivery
  MessagePostDeliveryEvents
  | where ActionType == 'Spam ZAP' 
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams Spam ZAP.yaml)

False Positive Guidance

• Scenario: Scheduled Job Sending Test Messages to a Test Team
  Description: A scheduled job or automation tool (e.g., Power Automate, Azure DevOps, or a custom script) sends test messages to a test team channel as part of a QA or deployment process.
  Filter/Exclusion: Exclude messages sent to teams with the label “Test” or “QA” using the team_name field. Example filter: team_name:*Test*

• Scenario: Admin Task to Archive Old Messages
  Description: An admin uses the Microsoft Teams admin center or PowerShell to archive old messages as part of a compliance or retention policy.
  Filter/Exclusion: Exclude messages where the action field indicates “archive” or “delete” using a custom field or tag. Example filter: action:*archive*

• Scenario: User-Initiated Message Deletion via Teams UI
  Description: A user deletes a message directly from the Teams interface, which may trigger the ZAP detection logic due to the deletion event.
  Filter/Exclusion: Exclude messages where the user_action field indicates “delete” or “remove” using a custom field. Example filter: user_action:*delete*

• Scenario: Integration with Third-Party Spam Filtering Tool
  Description: A third-party spam filtering tool (e.g., Cisco Secure Email, Proofpoint, or Microsoft Defender for Office 365) automatically deletes spam messages in Teams, triggering the ZAP detection.
  Filter/Exclusion: Exclude messages where the source field indicates a known spam filtering tool (e.g., source:*Cisco* or source:*Proofpoint*)

• Scenario: System-Generated Notifications or Alerts
  Description: System-generated messages (e.g., from Microsoft Teams notifications, calendar reminders, or integration alerts) are mistakenly