Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
3 Hours |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
Microsoft Teams |
ATT&CK Tactic |
Initial Access (TA0001) |
ATT&CK Technique |
Phishing (T1566) |
Severity |
Informational |
Description
An external user created a Microsoft Teams conversation with users in the organization with additional suspicious operations.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
Variations
An external user initiated a Microsoft Teams chat in which a suspicious link was shared and a member was removed
Synopsis
Description
An external user initiated a Microsoft Teams chat in which a link, with a domain that hasn't been seen the last 30 days, was shared, and a member was removed.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user created a chat and shortly after sent a link with a newly seen domain name
Synopsis
Description
An external user created a chat and shortly after sent a link to a conversation via Microsoft Teams that refers to a domain that was seen for the first time in the past 30 days.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user initiated a Microsoft Teams chat in which a link was shared and a member was removed
Synopsis
Description
An external user initiated a Microsoft Teams chat in which a link with a rarely seen domain was shared, and a member was removed.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user created a chat then sent a link with a file for the first time via Microsoft Teams
Synopsis
Description
An external user sent a link for the first time during the past 30 days in a Microsoft Teams conversation, and the link points to a file.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user created a chat with a suspicious user or chat name and then sent a link via Microsoft Teams
Synopsis
Description
An external user created a chat with a suspicious user or chat name and sent a link in Microsoft Teams, which can be a phishing attempt.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
External user created a Microsoft Teams conversation with a suspicious user or chat name and shortly after removed a user from it
Synopsis
Description
An external user created a conversation with a suspicious user or chat name, and then removed a member, which could indicate potential suspicious activity.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user created a chat then sent a link via Microsoft Teams
Synopsis
Description
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
An external user created a chat and then sent a link via Microsoft Teams
Synopsis
Description
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.
External user created a Microsoft Teams conversation and shortly after removed a user from it
Synopsis
Description
An external user created a conversation and then removed a member, which could indicate potential suspicious activity.
Attacker's Goals
Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
Investigative actions
- Confirm that the tenant and user are authorized to start a conversation with users in the organization.
- Verify whether any user was removed from the conversation, and determine the reason for their removal.
- Verify the content of the conversation and validate that there is no phishing attempt being made.
- Inspect links and URLs that might have been sent in the conversation.
- Check external domain reputation.
- Review past communication from the external user.
- Follow further actions done by the account.