Adversaries may use compromised external domains to send malicious payloads via Teams messages as part of a phishing or malware distribution campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware delivery vectors before they cause widespread damage.
KQL Query
//Top External Sender domains sending Teams message with Malware threats
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes contains "Malware"
| extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
| summarize count() by SenderDomain
id: 37c0d39b-1eb8-4aa0-bded-d0b058082571
name: Top External Sender domains - Malware
description: |
Top External Sender domains sending Teams message with Malware threats
description-detailed: |
This query helps hunt for Top External Sender domains sending Teams message with Malware threats, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Top External Sender domains sending Teams message with Malware threats
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes contains "Malware"
| extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
| summarize count() by SenderDomain
version: 1.0.0Scenario: A system administrator is using Microsoft Intune to deploy a Windows Update that includes a PowerShell script for patch management. This script is sent via Microsoft Teams from an external domain used by Microsoft’s update service.
Filter/Exclusion: Exclude domains associated with Microsoft services (e.g., *.microsoft.com, *.azure.com) or include a whitelist of known safe domains used for administrative tasks.
Scenario: A scheduled backup job is configured to send a report via Teams to an internal security team. The backup tool uses an external domain for authentication or API calls, triggering the rule.
Filter/Exclusion: Exclude domains used by internal backup tools (e.g., backup-tool.example.com) or filter messages sent from known internal IP ranges or internal domains.
Scenario: A third-party service (e.g., ServiceNow) is configured to send incident alerts via Teams to the SOC team. The service uses an external domain for its API, which is flagged as a potential malware sender.
Filter/Exclusion: Exclude domains associated with known third-party services (e.g., *.servicenow.com) or add a filter for messages sent to specific Teams channels designated for alerts.
Scenario: An IT helpdesk tool (e.g., Zendesk) sends status updates via Teams to internal users. The tool uses an external domain for its API, which is mistakenly flagged by the detection rule.
Filter/Exclusion: Exclude domains used by IT helpdesk tools (e.g., *.zendesk.com) or filter messages based on the Teams channel or user group they are sent to.
Scenario: A CI/CD pipeline (e.g., Jenkins) sends a build status update via Teams to the development team. The pipeline uses an external