Possible multistage attack in Microsoft Teams

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-02-02
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

12 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

Possible multistage attack in Microsoft Teams.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious activity to validate the legitimacy of the user's actions.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.

Variations

Malicious activity had been detected with strong indicators

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Malicious Microsoft Teams activity detected across multiple indicators, the activities have strong indications of a malicious action.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious activity to validate the legitimacy of the user's actions.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.