Top External Sender domains - Spam

Hunt Hypothesis

Adversaries may use compromised external domains to send spam messages via Microsoft Teams as part of phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential spear-phishing attempts and reduce the risk of credential compromise.

KQL Query

//Top External Sender domains sending Teams message with Spam threats
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes contains "Spam"
| extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
| summarize count() by SenderDomain

Analytic Rule Definition

id: 96ea02b2-7db7-4206-bd7f-c3c579d33fcc
name: Top External Sender domains - Spam
description: |
  Top External Sender domains sending Teams message with Spam threats
description-detailed: |
  This query helps hunt for Top External Sender domains sending Teams message with Spam threats, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Top External Sender domains sending Teams message with Spam threats
  MessageEvents
  | where IsExternalThread==1 and IsOwnedThread==0
  | where ThreatTypes contains "Spam"
  | extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
  | summarize count() by SenderDomain
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Spam.yaml)

False Positive Guidance

• Scenario: A system administrator sends a bulk email notification using Microsoft Teams to inform users about a scheduled maintenance window.
  Filter/Exclusion: Exclude domains associated with internal admin tools like Microsoft 365 Admin Center or Exchange Online PowerShell.

• Scenario: A scheduled backup job uses Power Automate to send a Teams message confirming the completion of the backup process.
  Filter/Exclusion: Exclude domains related to Power Automate or Azure Logic Apps.

• Scenario: A third-party service (e.g., ServiceNow) integrates with Teams to send alerts to the IT department.
  Filter/Exclusion: Exclude domains from known service providers like ServiceNow, Zendesk, or Jira.

• Scenario: A devops pipeline (e.g., Azure DevOps) sends a Teams message to notify the team about a successful deployment.
  Filter/Exclusion: Exclude domains associated with Azure DevOps, GitHub Actions, or GitLab CI/CD.

• Scenario: An IT helpdesk tool (e.g., ServiceDesk Plus) sends Teams messages to escalate user issues.
  Filter/Exclusion: Exclude domains from ServiceDesk Plus, Freshdesk, or Zendesk.