Adversaries may be leveraging false negative or false positive user submissions in Microsoft Teams to bypass detection and manipulate content filtering mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics used in advanced persistent threats.
KQL Query
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage"
| summarize count() by SubmittedBy
| project SubmittedBy, TeamsMessages = count_
|top 10 by TeamsMessages desc
id: 9ffbd78f-c87c-4fd2-96ec-fd46e27bbd21
name: Top accounts performing Teams user submissions FN or FP
description: |
This query visualises the top users performing false negative or false positive user submissions of Teams messages
description-detailed: |
This query visualises the top users performing false negative or false positive user submissions of Teams messages
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),SubmittedBy=tostring((parse_json(RawEventData)).UserId)
| where SubmissionContentType == "ChatMessage"
| summarize count() by SubmittedBy
| project SubmittedBy, TeamsMessages = count_
|top 10 by TeamsMessages desc
version: l.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Compliance Export Job
Description: A scheduled job runs to export Teams user activity data for compliance purposes, which triggers a large number of user submissions.
Filter/Exclusion: Exclude activity from the ComplianceExportJob tool or filter by source field containing “ComplianceExportJob”.
Scenario: Admin Performing User Activity Review
Description: An admin manually reviews user activity in Teams using the Microsoft 365 admin center, which results in multiple user submissions.
Filter/Exclusion: Exclude submissions where the user_principal_name matches known admin accounts or filter by action field containing “Admin Review”.
Scenario: Automated Threat Intelligence Feed Integration
Description: An automated threat intelligence feed updates Teams user submissions with known malicious activity, causing false positives.
Filter/Exclusion: Exclude submissions where the source field is from a known threat intelligence integration (e.g., ThreatIntelFeed-Team) or filter by feed_name.
Scenario: User-Initiated Data Export via Power Automate
Description: A user uses Power Automate to export Teams messages, which results in a high volume of user submissions.
Filter/Exclusion: Exclude submissions where the source field includes “Power Automate” or filter by flow_name containing “DataExport”.
Scenario: System-Generated Audit Logs for User Activity
Description: System-generated audit logs from Microsoft 365 are being ingested, which include user submissions as part of standard logging.
Filter/Exclusion: Exclude submissions where the log_type field is “AuditLog” or filter by source field containing “AuditLogService”.