User exported multiple messages in Microsoft Teams via Graph API

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

Microsoft Teams

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Informational

Description

A user exported multiple messages in Microsoft Teams via Graph API.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

Variations

User exported multiple chats in Microsoft Teams via Graph API

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Low

Description

A user exported multiple messages in Microsoft Teams via Graph API.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.


User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Low

Description

A user exported multiple messages in Microsoft Teams via Graph API.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.


User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Information Repositories: Messaging Applications (T1213.005)

Severity

Low

Description

A user exported multiple messages in Microsoft Teams via Graph API.

Attacker's Goals

Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.

Investigative actions

  • Confirm that the exported messages were extracted from a certified and trusted entity.
  • Determine if it is within the user's role to extract messages from Microsoft Teams.
  • Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.