Detect Malicious Teams Message
Query
// Malicious messages detection
MessageEvents
| where ThreatTypes != ""
| join kind=leftouter MessageUrlInfo on TeamsMessageIdAbout this query
Detect Malicious Teams Message
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1204.001 | User Execution: Malicious Link | https://attack.mitre.org/techniques/T1204/001/ |
| T1566.002 | Phishing: Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
Description
This detection rule detects Microsoft Teams messages where MDO detected a threat in the message.
Risk
Malicious messages being send to users can be the beginning of an Initial Access.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Explanation
This query is designed to detect potentially malicious messages sent through Microsoft Teams. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify Teams messages flagged as threats by Microsoft Defender for Office (MDO).
-
Techniques Involved: It relates to two specific MITRE ATT&CK techniques:
- User Execution: Malicious Link (T1204.001): This involves users executing malicious links.
- Phishing: Spearphishing Link (T1566.002): This involves targeted phishing attacks using malicious links.
-
Risk: Receiving malicious messages can be a starting point for unauthorized access to a system.
-
Query Logic:
- It searches through
MessageEventsto find messages that have been identified with any threat type (ThreatTypesis not empty). - It then performs a left outer join with
MessageUrlInfobased onTeamsMessageIdto gather additional information about the URLs in those messages.
- It searches through
-
Outcome: The query helps in identifying and analyzing messages that might pose a security risk due to malicious content, allowing for further investigation and response.
