KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Teams Phisher Attack With Azure Sentinel

Query

//Detecting TeamsPhisher attack with Azure Sentinel
//https://www.linkedin.com/pulse/detecting-teamsphisher-attack-azure-sentinel-steven-lim/

OfficeActivity
| where TimeGenerated > ago(1h)
| where RecordType =~ 'MicrosoftTeams'
| where Operation == "MessageCreatedHasLink"
| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
| where UserId !endswith "your_corporate_domain_1"     // Filter off all internal teams user 1-to-1 message
and UserId !endswith "your_corporate_domain_2"
and UserId !endswith "your_corporate_domain_3"
| extend UserDomains = tostring(split(UserId, '@')[1])
| extend UserIPs = tostring(split(ClientIP, '::ffff:')[1])
| where UserIPs != ""
| distinct UserIPs
| join ThreatIntelligenceIndicator on $left.UserIPs == $right.NetworkIP

Explanation

This KQL (Kusto Query Language) query is designed to detect potential phishing attacks in Microsoft Teams using Azure Sentinel. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by querying the OfficeActivity table.
  2. Time Filter: It looks at data generated in the last hour (TimeGenerated > ago(1h)).
  3. Record Type: It filters for records specifically related to Microsoft Teams (RecordType =~ 'MicrosoftTeams').
  4. Operation Type: It focuses on messages that contain links (Operation == "MessageCreatedHasLink").
  5. Communication Type: It considers only one-on-one or group chat communications (CommunicationType == "OneOnOne" or CommunicationType == "GroupChat").
  6. Exclude Internal Users: It excludes messages from users within specified corporate domains (UserId !endswith "your_corporate_domain_1", etc.).
  7. Extract Domains and IPs: It extracts the domain part of the user ID and the IP address from the client IP.
  8. Filter Non-Empty IPs: It ensures that only records with non-empty IP addresses are considered.
  9. Unique IPs: It selects distinct IP addresses.
  10. Threat Intelligence Matching: Finally, it joins these IPs with a threat intelligence indicator table to check if any of the IPs match known threat indicators.

In essence, this query identifies external users sending messages with links in Microsoft Teams and checks if their IP addresses are flagged in threat intelligence databases, helping to detect potential phishing attacks.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

OfficeActivityThreatIntelligenceIndicator

Keywords

OfficeActivityMicrosoftTeamsMessageCreatedHasLinkOneOnOneGroupChatUserIdUserDomainsUserIPsClientIPThreatIntelligenceIndicatorNetworkIP

Operators

ago=~==or!endswithandextendtostringsplit!=distinctjoinon

Actions