KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting External Microsoft Teams Spray

Query

// Detecting External Microsoft Teams Spray

// In late October, the ransomware group Black Basta introduced a new social engineering technique. Initially, they bombarded users with email spam, leading them to create help-desk tickets. The attackers then impersonated help-desk staff to gain access. Recently, they have shifted to using Microsoft Teams chat messages and malicious QR codes to communicate with targets. These tactics are designed to convince users to download remote monitoring tools, ultimately resulting in ransomware deployment. This campaign is particularly notable for its intensity and high volume of activity, posing a significant threat to organizations that do not restrict Teams communications with external entities.

// The KQL code below helps defenders detect anomalous external inbound Teams chats to your Entra tenant, allowing them to take immediate action to block the external tenant if necessary. The KQL code can be downloaded from my SlimKQL GitHub Repository, which is featured on my LinkedIn profile. (Search for “Detecting External Microsoft Teams Spray”)

// External Tenant Teams Spray Threshold
let SprayCounter = 3;

CloudAppEvents
| where Timestamp > ago(1h)
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where tostring(RawEventData.CommunicationType)=="OneOnOne" // Inbound 1:1 Chat
| where AccountId has "@"                                    // External Tenant Teams User
| extend ExtUserDomain = tostring(split(AccountId, '@')[1])
| where UncommonForUser != "[]"                              // Behaviour Analytics to improve detection accuracy
| summarize InboundChat=count() by ExtUserDomain
| where InboundChat > SprayCounter or ExtUserDomain contains ".onmicrosoft.com"

Explanation

This KQL query is designed to help detect suspicious activity involving external Microsoft Teams chats, which could be part of a social engineering attack. Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at Microsoft Teams chat events from the past hour.

  2. Application and Action: It filters for events specifically from Microsoft Teams where a chat was created.

  3. Chat Type: It focuses on one-on-one chats, which are inbound (coming from outside your organization).

  4. External Users: It identifies chats from external users by checking if the account ID contains an "@" symbol, indicating an email address from an external domain.

  5. Domain Extraction: It extracts the domain part of the external user's email address.

  6. Behavioral Analysis: It uses behavior analytics to filter out common patterns, aiming to highlight unusual activity.

  7. Counting Chats: It counts the number of inbound chats from each external domain.

  8. Threshold for Detection: It flags domains that have sent more than three chats (the threshold set by SprayCounter) or if the domain contains ".onmicrosoft.com", which might indicate a suspicious or newly created tenant.

The purpose of this query is to help security teams quickly identify and respond to potential threats from external entities using Microsoft Teams, particularly in the context of a known attack strategy by the Black Basta ransomware group.

Details

Steven Lim profile picture

Steven Lim

Released: November 8, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsMicrosoftTeamsAccountIdUserTenantChatCommunicationTypeTimestampApplicationActionTypeRawEventDataExtUserDomain

Operators

letCloudAppEvents|where>ago==tostringhasextendsplitsummarizebyorcontains

Actions