External user call via Microsoft Teams

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing: Spearphishing Voice (T1566.004)

Severity

Informational

Description

An external user called a user in the organization via Microsoft Teams.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the external tenant and external user are authorized to call users in the organization.
  • Check external domain reputation.
  • Follow further actions performed by the user who participated in the call.
  • Verify if the user account was compromised or was a victim of a voice phishing campaign.

Variations

A first seen external user with a suspicious name initiated a Microsoft Teams call

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing: Spearphishing Voice (T1566.004)

Severity

Medium

Description

A first seen external user with a suspicious name successfully called via Microsoft Teams a user in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the external tenant and external user are authorized to call users in the organization.
  • Check external domain reputation.
  • Follow further actions performed by the user who participated in the call.
  • Verify if the user account was compromised or was a victim of a voice phishing campaign.


An external user with a suspicious name initiated a Microsoft Teams call

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing: Spearphishing Voice (T1566.004)

Severity

Low

Description

An external user with a suspicious name called via Microsoft Teams a user in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the external tenant and external user are authorized to call users in the organization.
  • Check external domain reputation.
  • Follow further actions performed by the user who participated in the call.
  • Verify if the user account was compromised or was a victim of a voice phishing campaign.