KQL Search

Query Details

HomeAI ToolsDevice Query

Sniffing Out UNC3944 On Teams

Query

// Spidey Senses Tingling: Sniffing Out UNC3944 on Teams

let M365Domains =
IdentityInfo
| summarize arg_max(Timestamp, *) by AccountUpn
| where isnotempty(AccountDomain)
| distinct tolower(AccountDomain);
let MonitorDomainKeyword =dynamic(["connect","corp","duo","help","he1p","helpdesk",
"helpnow","info","internal","mfa","my","okta","onelogin","schedule","service","servicedesk","servicenow",
"rci","rsa","sso","ssp","support","usa","vpn","work","dev","workspace","it","ops"]);
MessageEvents
| where Timestamp > ago(1h)
| join MessageUrlInfo on TeamsMessageId
| extend SenderDomain = tolower(tostring(split(SenderEmailAddress, '@')[1]))
| where not(SenderDomain has_any(M365Domains))        // External Teams Inbound Message Detected
| where SenderDomain has_any(MonitorDomainKeyword)    // Check domain keyword match for Scattered Spider TTPs

Explanation

This query is designed to detect potentially suspicious activity on Microsoft Teams by identifying messages from external domains that might be associated with a known threat actor, UNC3944, also known as "Scattered Spider." Here's a simplified breakdown of what the query does:

  1. Identify Internal Domains: It first gathers a list of internal domains from the IdentityInfo table, ensuring that only unique and non-empty domains are considered.

  2. Define Suspicious Keywords: It sets up a list of keywords (MonitorDomainKeyword) that are often used in domain names by threat actors like UNC3944. These keywords are associated with terms like "help," "support," "vpn," etc.

  3. Filter Recent Messages: The query looks at messages from the MessageEvents table that were sent in the last hour.

  4. Join with URL Info: It joins these messages with URL information from the MessageUrlInfo table using the TeamsMessageId.

  5. Identify External Senders: It checks if the sender's domain is not part of the known internal domains (M365Domains), indicating that the message is from an external source.

  6. Check for Suspicious Domains: It further filters these external messages to see if the sender's domain contains any of the suspicious keywords defined earlier.

In essence, the query is trying to spot messages from external domains that might be using deceptive or suspicious domain names, which could indicate phishing attempts or other malicious activities associated with UNC3944.

Details

Steven Lim profile picture

Steven Lim

Released: June 22, 2025

Tables

IdentityInfoMessageEventsMessageUrlInfo

Keywords

IdentityInfoMessageEventsMessageUrlInfoTeamsMessageIdSenderEmailAddressAccountUpnAccountDomainTimestampSenderDomain

Operators

letsummarizearg_maxbywhereisnotemptydistincttolowerdynamicMessageEventsjoinonextendtostringsplithas_anyago

Actions