Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
Microsoft Teams |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it.
Attacker's Goals
Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
Investigative actions
- Verify the user's role and typical usage of Microsoft Graph API.
- Check if the user's account has recently logged in from unusual locations or devices.
- Review recent email and chat activity to identify any phishing or suspicious messages sent.
- Examine the Graph API call logs to see what actions were performed and their timestamps.
- Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device.
- Check for signs of account compromise, such as password changes or MFA bypass attempts.
- Follow further actions done by the account.