KQL Search

Query Details

HomeAI ToolsDevice Query

Data Exfiltration Via Microsoft Teams

Query

// Data Exfiltration via Microsoft Teams
// https://www.linkedin.com/posts/activity-7202676905441964032-Qi3m/

// Should a malicious actor gain access to an Office 365 user account and initiate the unauthorized transfer of email content by utilizing Power Automate to trigger an Office 365 Outlook flow that sends a Teams message to an external domain upon the arrival of a new email, do you possess the detection capabilities for such unauthorized data transfers? The KQL script provided leverages Microsoft Defender’s CloudAppEvents to identify unusual patterns in the volume of Teams messages directed to specific external domains. Upon activation of the monitoring alert, the security team is prompted to conduct a thorough investigation to verify the authenticity of the Teams communications. In instances where your users frequently collaborate with known external partner tenants, implementing a whitelist can help avert unwarranted rule activations.

CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "MessageSent"
| extend AccountUPN = RawEventData.UserId
| extend CommsType = RawEventData.CommunicationType
| extend ExternalTenant = RawEventData.ParticipantInfo.HasForeignTenantUsers
| extend ExtUserDomain = tostring(split(AccountUPN, '@')[1])
| where CommsType == "OneOnOne" or CommsType == "GroupChat"
| where ExternalTenant == "true"
| where ExtUserDomain != ""
| summarize Count=count() by ExtUserDomain
| sort by Count desc
// Set your Teams msg trigger threshold to external tenant 
| where Count > 20
// Whitelist External Partner Domain
| where ExtUserDomain !contains "trusteddomain.com"

Explanation

This KQL query is designed to detect potential data exfiltration via Microsoft Teams by monitoring for unusual patterns in the volume of messages sent to external domains. Here's a simplified breakdown:

  1. Context: The query is used to identify if a malicious actor has gained access to an Office 365 user account and is using Power Automate to send email content to an external domain via Teams messages.

  2. Data Source: The query leverages data from Microsoft Defender’s CloudAppEvents.

  3. Filtering Criteria:

    • It looks for events where the application is "Microsoft Teams" and the action type is "MessageSent".
    • It extends the data to include user account information, communication type, and whether the message involves external tenants.
    • It filters for one-on-one or group chat communications that involve external tenants.

  4. Analysis:

    • It counts the number of messages sent to each external domain.
    • It sorts these counts in descending order.

  5. Threshold and Whitelisting:

    • It sets a threshold to trigger alerts if more than 20 messages are sent to an external domain.
    • It excludes messages sent to trusted external partner domains to avoid false positives.

  6. Outcome: When the threshold is exceeded, the security team is alerted to investigate the authenticity of the communications.

In summary, this query helps detect unusual and potentially unauthorized data transfers via Microsoft Teams by monitoring message volumes to external domains and excluding trusted partners to reduce false alarms.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsMicrosoftTeamsOffice365UserAccountEmailPowerAutomateOutlookMessageExternalDomainDetectionDataTransfersMonitoringSecurityInvestigationCommunicationsPartnerTenantsWhitelist

Operators

whereextendtostringsplitsummarizecountbysortdesccontains

Actions