Query Details

Detecting Teams Phisher Attack With Azure Sentinel

Query

//Detecting TeamsPhisher attack with Azure Sentinel
//https://www.linkedin.com/pulse/detecting-teamsphisher-attack-azure-sentinel-steven-lim/

OfficeActivity
| where TimeGenerated > ago(1h)
| where RecordType =~ 'MicrosoftTeams'
| where Operation == "MessageCreatedHasLink"
| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
| where UserId !endswith "your_corporate_domain_1"     // Filter off all internal teams user 1-to-1 message
and UserId !endswith "your_corporate_domain_2"
and UserId !endswith "your_corporate_domain_3"
| extend UserDomains = tostring(split(UserId, '@')[1])
| extend UserIPs = tostring(split(ClientIP, '::ffff:')[1])
| where UserIPs != ""
| distinct UserIPs
| join ThreatIntelligenceIndicator on $left.UserIPs == $right.NetworkIP

// MITRE ATT&CK Mapping

// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1071.001 - Application Layer Protocol: Web Protocols:
// The query looks for messages with links, which can be used for command and control via web protocols.
// T1071.003 - Application Layer Protocol: Mail Protocols:
// Although this is specific to email, the concept of using communication platforms for malicious purposes is similar.
// T1071.004 - Application Layer Protocol: Remote Services:
// External communication via Microsoft Teams can be considered a form of remote service.
// T1071.005 - Application Layer Protocol: Web Protocols:
// Detecting links in messages aligns with identifying potential web-based command and control.
// T1071.006 - Application Layer Protocol: Web Protocols:
// The use of external IP addresses and domains can indicate external command and control.
// T1071.007 - Application Layer Protocol: Web Protocols:
// Correlating with threat intelligence indicators helps identify known malicious infrastructure.

Explanation

This query is designed to detect potential phishing attacks on Microsoft Teams using Azure Sentinel. Here's a simplified breakdown of what the query does:

  1. Data Source: It examines activity logs from Microsoft Teams, specifically focusing on messages that contain links.

  2. Time Frame: It looks at data generated in the last hour.

  3. Message Type: It filters for messages that are either one-on-one or in group chats.

  4. Exclusion of Internal Users: It excludes messages from users within specified corporate domains to focus on external communications.

  5. User Information: It extracts the domain part of the user IDs and the IP addresses from which the messages were sent.

  6. IP Filtering: It ensures that only messages with valid IP addresses are considered.

  7. Threat Intelligence: It cross-references the extracted IP addresses with known threat intelligence indicators to identify potentially malicious activity.

  8. MITRE ATT&CK Mapping: The query is aligned with several MITRE ATT&CK techniques related to the use of application layer protocols for malicious purposes, such as command and control through web protocols and external communication.

In essence, this query helps identify suspicious external communications in Microsoft Teams that might indicate phishing attempts or other malicious activities.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

OfficeActivityThreatIntelligenceIndicator

Keywords

OfficeActivityMicrosoftTeamsMessageCreatedHasLinkOneOnOneGroupChatUserIdUserDomainsUserIPsClientIPThreatIntelligenceIndicatorNetworkIP

Operators

ago=~==or!endswithandextendtostringsplit!=distinctjoinon

Actions

GitHub