Query Details
RULE 02 M365 Teams Guest Activity Sensitive Channel
Query
// Rule : M365 - Teams External Guest Message in Sensitive Channel
// Severity: Medium
// Tactics : Collection, Exfiltration
// MITRE : T1213.003 (Data from Information Repositories: Code Repositories),
// T1537 (Transfer Data to Cloud Account)
// Freq : PT1H Period: PT1H
// Description: Flags when a guest user (external account) sends messages or
// shares files in Teams channels that are likely sensitive
// (internal-only, security, finance, exec naming patterns).
//==========================================================================================
let SensitiveChannelPatterns = dynamic([
"security", "finance", "exec", "board", "legal", "hr", "payroll",
"confidential", "restricted", "secret", "infrastr", "soc", "threat"
]);
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MessageCreatedHasLink", "MessageCreated", "FileSent", "FileShared")
| where UserId has "#EXT#" // external/guest user
| extend ChannelLower = tolower(tostring(ChannelName))
| where ChannelLower has_any (SensitiveChannelPatterns)
or CommunicationType == "OneOnOne" // private DM with internal user
| summarize
MessageCount = count(),
Channels = make_set(ChannelName, 10),
Teams = make_set(TeamName, 10),
FilesShared = countif(Operation in ("FileSent", "FileShared")),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserId, ClientIP, UserAgent
| extend GuestDomain = tostring(extract(@"#EXT#@(.+)", 1, UserId))
| extend AlertSeverity = case(
FilesShared > 5, "High",
MessageCount > 20, "Medium",
"Low")
| project
TimeGenerated = LastSeen,
UserId,
GuestDomain,
MessageCount,
FilesShared,
Channels,
Teams,
ClientIP,
AlertSeverity
Explanation
This query is designed to monitor Microsoft Teams activities, specifically focusing on external guest users who interact with potentially sensitive channels. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to detect when an external guest user sends messages or shares files in Teams channels that are likely sensitive. These channels might have names indicating they are for internal use only, such as those related to security, finance, or executive matters.
-
Time Frame: It looks at activities that occurred within the last hour.
-
Data Source: The query examines records from Microsoft Teams activities.
-
Conditions:
- It filters for activities like message creation or file sharing.
- It specifically looks for actions performed by external users (identified by "#EXT#" in their user ID).
- It checks if the channel name contains any keywords from a predefined list of sensitive terms (e.g., "security", "finance").
- It also considers private direct messages with internal users.
-
Output:
- The query summarizes the data by counting the number of messages and files shared by each external user.
- It lists the channels and teams involved.
- It records the first and last time the activity was seen.
- It extracts the domain of the guest user for further analysis.
-
Alert Severity:
- The severity of the alert is determined based on the number of files shared and messages sent. More than 5 files shared results in a "High" alert, more than 20 messages results in a "Medium" alert, and anything less is considered "Low".
-
Final Output:
- The query projects a summary including the time of the last activity, user ID, guest domain, counts of messages and files, involved channels and teams, client IP, and the determined alert severity.
This query helps organizations monitor and respond to potential data exfiltration risks involving external users in sensitive communication channels.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators