Possible phishing attack via Microsoft Teams

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

5 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Azure Audit Log
  • Requires:
    • AzureAD
  • Requires:
    • AzureAD Audit Log
  • Requires:
    • Microsoft Graph Logs
  • Requires:
    • Office 365 Audit
  • Requires:
    • Okta
  • Requires:
    • Okta Audit Log
  • Requires one of the following data sources:
    • Palo Alto Networks Firewall EAL Logs
      OR
    • Palo Alto Networks Firewall threat Logs
  • Requires one of the following data sources:
    • Palo Alto Networks Global Protect
      OR
    • Third-Party VPNs
  • Requires:
    • XDR Agent
  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

An external tenant is possibly attempting a phishing attack via Microsoft Teams.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.

Variations

Potential phishing attack with post compromise stages had been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

High

Description

Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login and post compromise actions.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.


Potential phishing attack via Microsoft Teams has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.


Potential phishing attack with post compromise activities in Microsoft Teams has been detected

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Medium

Description

Suspicious Microsoft Teams phishing activity detected across multiple indicators.

Attacker's Goals

Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.

Investigative actions

  • Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login.
  • Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links.
  • Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content.
  • Evaluate the external tenant reputation.
  • Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login.
  • Follow further actions done by the account.