Query Details
Apt29
Query
References:https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
Use this Sentinel queries to hunt for apt29 teams phishing activity
OfficeActivity
| where UserId has_any ("msonlineservicesteam","mlcrosoftaccounts","msftonlineservices","msonlineteam","msftservice","noreplyteam","accounteam","teamsprotection","identityverification","msftprotection","accountsverification","azuresecuritycenter")
OfficeActivity
| where UserId endswith @"onmicrosoft.com" and UserId !endswith @"Yourdomain.onmicrosoft.com"
Filter for false positives
Explanation
The query is looking for any suspicious activity related to phishing on Microsoft Teams by a group called Midnight Blizzard. It is filtering out false positives by excluding certain email domains.
Details
Ali Hussein
Released: February 26, 2024
Tables
OfficeActivity
Keywords
UserId,OfficeActivity,msonlineservicesteam,mlcrosoftaccounts,msftonlineservices,msonlineteam,msftservice,noreplyteam,accounteam,teamsprotection,identityverification,msftprotection,accountsverification,azuresecuritycenter,onmicrosoft.com,Yourdomain.onmicrosoft.com
Operators
has_anywhereendswith!endswith