Microsoft Teams external communication policy was modified

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-27

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Threat Module
Detector Tags	Microsoft Teams
ATT&CK Tactic	Defense Evasion (TA0005) Exfiltration (TA0010)
ATT&CK Technique	Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
Severity	Informational

Microsoft Teams external communication policy was modified.

Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.

Determine if it is within the user's role to modify the policy.
Verify whether the modification of the policy is both legitimate and necessary.
Follow further communication with the external tenant or allowed tenants.
Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Microsoft Teams external communication policy was modified.

Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.

Determine if it is within the user's role to modify the policy.
Verify whether the modification of the policy is both legitimate and necessary.
Follow further communication with the external tenant or allowed tenants.
Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.