External user started a Microsoft Teams conversation

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Informational

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.

Variations

An external user started multiple conversations in Microsoft Teams with suspicious chat names

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.


An external user started a conversation in Microsoft Teams with a suspicious user or chat name

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.


An external user started multiple conversations in Microsoft Teams

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.


External user started a Microsoft Teams conversation and sent a message

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Informational

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.


An external user started conversations in Microsoft Teams with many internal users

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Informational

Description

An external user started a Microsoft Teams conversation with users in the organization.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Confirm that the tenant and user are authorized to start a conversation with users in the organization.
  • Verify the content of the conversation and validate that there is no phishing attempt being made.
  • Inspect links and URLs that might have been sent in the conversation.
  • Check external domain reputation.
  • Review past communication from the external user.
  • Follow further actions done by the account.