KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Social Engineering Attacks In Teams With KQL

Query

// https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/
// https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916

// E.g Approved Corporate RMM - Whitelisting
let SanctionRMM = dynamic("bomgarcloud.com");
// Lookup list of RMM Tools Url from Microsoft
let RMMList=externaldata(URI: string, RMMTool: string)
[h'https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv'];
let RMMUrl =
RMMList
| project URI;
MessageUrlInfo
| where Timestamp > ago(1h)
// Scan all external inbound Teams message for RMM Tools URL
// For example: Storm-1811 exploits RMM tools to drop Black Basta ransomware 
| where Url has_any(RMMUrl)
| where not (Url has_any(SanctionRMM))
| join MessageEvents on TeamsMessageId
| where IsExternalThread == "1"
| where ThreadType == "chat"
| where DeliveryLocation == "Teams"

Explanation

This KQL (Kusto Query Language) query is designed to monitor and detect potential security threats related to Remote Monitoring and Management (RMM) tools in Microsoft Teams messages. Here's a simplified breakdown of what the query does:

  1. Define Approved RMM: It starts by defining a list of sanctioned (approved) RMM tools, in this case, bomgarcloud.com.

  2. Fetch RMM Tools List: It retrieves a list of RMM tool URLs from an external CSV file hosted on GitHub. This list is used to identify URLs associated with RMM tools.

  3. Filter Teams Messages: The query looks at Teams messages from the past hour (Timestamp > ago(1h)) to find any messages containing URLs that match those in the RMM tools list.

  4. Exclude Approved RMM: It excludes any URLs that match the sanctioned RMM tool (bomgarcloud.com), focusing only on potentially unauthorized or suspicious RMM tool usage.

  5. Join with Message Events: The query joins the filtered messages with message events data to get more context about the messages.

  6. Filter for External Chats: It further filters the results to include only messages that are part of external threads (conversations with people outside the organization) and are of type "chat" delivered in Teams.

Overall, this query is used to identify potentially malicious use of RMM tools in Teams messages, which could be indicative of a cyber attack, such as the exploitation of RMM tools to deploy ransomware like Black Basta.

Details

Steven Lim profile picture

Steven Lim

Released: May 17, 2025

Tables

MessageUrlInfoMessageEvents

Keywords

MessageUrlInfoTeamsMessageEvents

Operators

letdynamicexternaldataprojectwhereagohas_anynotjoin

Actions