Microsoft Teams messages were exported from conversation

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Informational

Description

Microsoft Teams messages were exported from conversation.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to obtain valuable information.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

Variations

Microsoft Teams messages were exported from conversation by a privileged user for the first time

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Low

Description

Microsoft Teams messages were exported from conversation.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to obtain valuable information.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.