Uncommon access to Microsoft Teams credential files

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent Requires: eXtended Threat Hunting (XTH)
Detection Modules
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials (T1552)
Severity	Low

Sensitive Microsoft Teams credential files were accessed.

Accessing these files is done by attackers to collect user credentials.

Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.

Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process.

Accessing these files is done by attackers to collect user credentials.

Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.