Query Details

Data Exfiltration Via Microsoft Teams

Query

// Data Exfiltration via Microsoft Teams
// https://www.linkedin.com/posts/activity-7202676905441964032-Qi3m/

// Should a malicious actor gain access to an Office 365 user account and initiate the unauthorized transfer of email content by utilizing Power Automate to trigger an Office 365 Outlook flow that sends a Teams message to an external domain upon the arrival of a new email, do you possess the detection capabilities for such unauthorized data transfers? The KQL script provided leverages Microsoft Defender’s CloudAppEvents to identify unusual patterns in the volume of Teams messages directed to specific external domains. Upon activation of the monitoring alert, the security team is prompted to conduct a thorough investigation to verify the authenticity of the Teams communications. In instances where your users frequently collaborate with known external partner tenants, implementing a whitelist can help avert unwarranted rule activations.

CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "MessageSent"
| extend AccountUPN = RawEventData.UserId
| extend CommsType = RawEventData.CommunicationType
| extend ExternalTenant = RawEventData.ParticipantInfo.HasForeignTenantUsers
| extend ExtUserDomain = tostring(split(AccountUPN, '@')[1])
| where CommsType == "OneOnOne" or CommsType == "GroupChat"
| where ExternalTenant == "true"
| where ExtUserDomain != ""
| summarize Count=count() by ExtUserDomain
| sort by Count desc
// Set your Teams msg trigger threshold to external tenant 
| where Count > 20
// Whitelist External Partner Domain
| where ExtUserDomain !contains "trusteddomain.com"


// MITRE ATT&CK Mapping

// This query can be mapped to several MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols:
// Detects the use of web protocols for communication, which in this case is Microsoft Teams1.

// T1102.002 - Web Service: Application Deployment Software:
// Identifies the use of web services for application deployment, relevant to the detection of messages sent via Teams2.

// T1078 - Valid Accounts:
// Detects the use of valid accounts, especially focusing on external tenants which might indicate compromised or unauthorized access3.

// T1087.001 - Account Discovery: Local Account:
// Involves discovering accounts, here focusing on external user domains4.

Explanation

This KQL query is designed to detect potential unauthorized data transfers via Microsoft Teams, specifically when a malicious actor gains access to an Office 365 account and uses Power Automate to send email content to an external domain through Teams messages. Here's a simplified breakdown:

  1. Purpose: The query aims to identify unusual patterns in the volume of Teams messages sent to external domains, which could indicate unauthorized data exfiltration.

  2. Data Source: It uses Microsoft Defender's CloudAppEvents to monitor Teams activities.

  3. Process:

    • It filters for messages sent through Microsoft Teams.
    • It focuses on one-on-one or group chat communications.
    • It checks if the messages involve external tenants (i.e., users from outside the organization).
    • It counts the number of messages sent to each external domain.
  4. Threshold: The query flags any external domain receiving more than 20 messages as suspicious.

  5. Whitelist: Known and trusted external domains (e.g., "trusteddomain.com") are excluded from triggering alerts to avoid false positives.

  6. Action: When the threshold is exceeded, a monitoring alert is activated, prompting the security team to investigate the legitimacy of these communications.

  7. Security Framework: The query is mapped to several MITRE ATT&CK techniques, indicating its relevance in detecting specific tactics and techniques used by adversaries, such as using valid accounts and web protocols for unauthorized activities.

In summary, this query helps organizations detect and investigate potential data leaks via Teams by monitoring message patterns to external domains and excluding trusted partners from unnecessary alerts.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

MicrosoftTeamsOffice365PowerAutomateOutlookCloudAppEventsUserAccountExternalDomainSecurityTeamTenantPartnerMITREATT&CKApplicationLayerProtocolWebProtocolsServiceDeploymentSoftwareValidAccountsDiscoveryLocal

Operators

whereextendtostringsplitorsummarizecountbysortdesccontains

Actions

GitHub