Query Details
RULE 01 M365 Teams Guest Invite Bulk
Query
// Rule : M365 - Teams Bulk Guest User Invitation
// Severity: Medium
// Tactics : InitialAccess, Persistence
// MITRE : T1136.003 (Create Account: Cloud Account), T1078.004
// Freq : PT1H Period: PT1H
// Description: Detects when a single user invites an unusually high number of
// guest accounts to Microsoft Teams in a short window, which may
// indicate data-exfiltration staging or insider threat activity.
//==========================================================================================
let BulkThreshold = 10; // invitations per hour that trigger the rule
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MemberAdded", "TeamsSessionStarted", "InviteAccepted")
or (Operation == "MemberAdded" and Members has "#EXT#")
| extend MemberUPN = tostring(parse_json(Members)[0].UPN)
| where MemberUPN has "#EXT#" // guest UPN pattern
| summarize
GuestCount = dcount(MemberUPN),
GuestList = make_set(MemberUPN, 20),
TeamsInvolved = make_set(TeamName, 10),
FirstInvite = min(TimeGenerated),
LastInvite = max(TimeGenerated)
by UserId, UserType, ClientIP, OfficeWorkload
| where GuestCount >= BulkThreshold
| extend
InviterDomain = tostring(split(UserId, "@")[1]),
DurationMinutes = datetime_diff("minute", LastInvite, FirstInvite)
| extend AlertSeverity = case(
GuestCount >= 30, "High",
GuestCount >= 15, "Medium",
"Low")
| project
TimeGenerated = LastInvite,
UserId,
InviterDomain,
GuestCount,
GuestList,
TeamsInvolved,
DurationMinutes,
ClientIP,
AlertSeverity
Explanation
This query is designed to detect suspicious activity in Microsoft Teams, specifically when a single user invites a large number of guest users within a short period. Here's a simplified explanation:
-
Purpose: The query identifies potential security threats by monitoring for unusually high numbers of guest user invitations to Microsoft Teams. This could indicate malicious activities like data theft or insider threats.
-
Threshold: The rule is triggered if a user invites 10 or more guest users within an hour.
-
Data Source: It analyzes records from Microsoft Teams activities, focusing on operations related to adding members and guest invitations.
-
Guest Identification: It specifically looks for user principal names (UPNs) containing "#EXT#", which indicates guest accounts.
-
Aggregation: For each user, it counts the number of unique guest invitations, lists the guests and teams involved, and notes the time range of these invitations.
-
Severity Levels: The alert severity is determined by the number of guests invited:
- High: 30 or more guests
- Medium: 15 to 29 guests
- Low: 10 to 14 guests
-
Output: The query outputs details such as the time of the last invitation, the user who sent the invitations, their domain, the number of guests invited, the list of guests, the teams involved, the duration of the invitation activity, the user's IP address, and the alert severity.
Overall, this query helps in identifying and responding to potential security incidents involving bulk guest user invitations in Microsoft Teams.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators