Adversaries may use compromised Teams accounts to submit false negatives or false positives, leveraging sender domains to bypass detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware distribution tactics masked by user-reported messages.
KQL Query
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "ChatMessage"
| summarize count() by P2SenderDomain
| project P2SenderDomain, TeamsMessages = count_
| top 10 by TeamsMessages desc
id: bebb6652-3c52-4358-a946-ecd63cddf082
name: Top 10 sender domains - Teams user submissions FN or FP
description: |
This query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
description-detailed: |
This query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "ChatMessage"
| summarize count() by P2SenderDomain
| project P2SenderDomain, TeamsMessages = count_
| top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Automated system message from Microsoft Teams service
Description: A legitimate system message sent by Microsoft Teams itself (e.g., notifications about meeting updates, calendar invites, or service announcements) is being flagged as a false positive.
Filter/Exclusion: Exclude sender domains that match *.teams.microsoft.com or *.microsoft.com using a domain filter in the detection logic.
Scenario: Scheduled backup or sync job using Teams integration
Description: A scheduled job (e.g., a backup tool or data sync script) uses a Teams bot or integration to send messages as part of its workflow, which is considered normal activity.
Filter/Exclusion: Exclude messages sent by known automation tools like Microsoft Graph API or Power Automate using a sender ID or API identifier filter.
Scenario: Admin task execution via Teams chat
Description: An admin uses Teams chat to communicate with users or systems during routine maintenance, configuration changes, or troubleshooting, which is a legitimate activity.
Filter/Exclusion: Exclude messages from admin accounts (e.g., admin@domain.com) or specific user groups (e.g., ITSupport, Admins) using user group or email filter.
Scenario: User submission of a false negative via Teams
Description: A user intentionally submits a message as a false negative (e.g., marking a legitimate message as a threat) during a security training exercise or test.
Filter/Exclusion: Exclude messages where the sender is marked as a “training user” or “test user” using a custom attribute or role-based filter.
Scenario: Integration with third-party SaaS tools via Teams
Description: A third-party application (e.g., ServiceNow, Jira, or Slack) integrates with Teams and sends messages as part of its workflow, which is a common and legitimate use case.