RULE 03 M365 Teams Suspicious App Installed

// Rule : M365 - Teams Application or Bot Added to Channel (Suspicious App) // Severity: Medium // Tactics : Persistence, Execution // MITRE : T1546 (Event Triggered Execution), T1059 (Command and Scripting Interpreter) // Freq : PT1H Period: PT1H // Description: Detects installation of bots or third-party applications into Teams // channels, particularly those associated with known post-exploitation // tooling names or unexpected app publishers. //========================================================================================== let SuspiciousAppPatterns = dynamic([ "ngrok", "webhook", "tunnel", "shell", "exec", "bot", "forward", "proxy", "exfil", "revealer", "bypass" ]); let LookbackPeriod = 1h; OfficeActivity | where TimeGenerated > ago(LookbackPeriod) | where RecordType == "MicrosoftTeams" | where Operation in ("AppInstalled", "BotAddedToTeam", "TabAdded", "ConnectorAdded") | extend AppNameRaw = tostring(parse_json(ExtraProperties)[0].Value), AppLower = tolower(tostring(parse_json(ExtraProperties)[0].Value)) | extend IsSuspicious = AppLower has_any (SuspiciousAppPatterns) | summarize InstallCount = count(), AppsInstalled = make_set(AppNameRaw, 10), TeamsAffected = make_set(TeamName, 10), Channels = make_set(ChannelName, 10), IsSuspicious = any(IsSuspicious), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by UserId, ClientIP | extend AlertSeverity = case( IsSuspicious == true, "High", InstallCount > 5, "Medium", "Low") | project TimeGenerated = LastSeen, UserId, AppsInstalled, TeamsAffected, Channels, InstallCount, IsSuspicious, ClientIP, AlertSeverity

Explanation

This query is designed to detect potentially suspicious activities related to the installation of applications or bots in Microsoft Teams channels. Here's a simplified breakdown of what it does:

Purpose: The query aims to identify when bots or third-party applications are added to Teams channels, especially those that might be associated with malicious activities or unexpected publishers.
Suspicious Patterns: It looks for specific keywords in app names that are often linked to suspicious activities, such as "ngrok", "webhook", "tunnel", and others.
Time Frame: The query examines activities within the last hour.
Data Source: It filters data from the OfficeActivity table, focusing on records related to Microsoft Teams operations like app installations or bot additions.
Processing:
- It extracts and processes the application names.
- It checks if any of the app names contain suspicious patterns.
- It counts the number of installations and gathers details about the apps, teams, and channels involved.
Alerting:
- It assigns an alert severity based on the findings:
  - "High" if any suspicious patterns are detected.
  - "Medium" if more than five installations are detected.
  - "Low" otherwise.
Output: The query produces a summary that includes:
- The time of the last detected activity.
- User ID and IP address associated with the activity.
- List of installed apps, affected teams, and channels.
- Count of installations.
- Whether any suspicious patterns were found.
- The severity of the alert.

This helps in monitoring and responding to potential security threats related to unauthorized or suspicious app installations in Teams.

Details

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivityMicrosoftTeamsAppInstalledBotAddedToTeamTabAddedConnectorAddedExtraPropertiesAppNameRawAppLowerSuspiciousAppPatternsLookbackPeriodTimeGeneratedRecordTypeOperationInstallCountAppsInstalledTeamsAffectedChannelsIsSuspiciousFirstSeenLastSeenUserIdClientIPAlertSeverity

Operators

letdynamicagowhereinextendtostringparse_jsontolowerhas_anysummarizecountmake_setanyminmaxbycaseproject

KQL Search