Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
Microsoft Teams |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.
Attacker's Goals
Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.
Investigative actions
- Verify the user's role and typical usage of Microsoft Graph API.
- Check if the user's account has recently logged in from unusual locations or devices.
- Review recent email and chat activity to identify any phishing or suspicious messages sent.
- Examine the Graph API call logs to see what actions were performed and their timestamps.
- Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device.
- Check for signs of account compromise, such as password changes or MFA bypass attempts.
- Follow further actions done by the account.