KQL Search

Query Details

HomeAI ToolsDevice Query

Social Engineering Attack Monitor Teams Emails

Query

// Social Engineering Attack Monitor - Teams & Emails

// Yesterday, Kevin Beaumont (known as the "Cyber Weatherman") shared his experience assisting several organizations in recovering from successful ransomware attacks. A common thread in these incidents was the use of social engineering tactics. Attackers conducted initial reconnaissance over the phone to gather contact details, then bombarded users with a flood of emails and Teams messages—sometimes thousands per hour. The custom KQL detection script below for DefenderXDR can provide early warnings of this type of social engineering attack.

// External Teams Tenant Spray Monitor

let TeamsTriggerThreshold = 5;
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Teams"
| where ActionType == @"MessageSent"
| where AccountDisplayName has "@"
| where tostring(UncommonForUser) != "[]"
| extend ExternalTeamsTenantID = tostring(parse_json(RawEventData)["UserTenantId"])
| where isnotempty(ExternalTeamsTenantID)
| summarize Count=count() by ExternalTeamsTenantID
| where Count > TeamsTriggerThreshold

// External Inbound Email Spray Monitor

let EmailTriggerThreshold = 150;
EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| summarize Count=count() by SenderFromAddress
| where Count > EmailTriggerThreshold

// Mitre ATT&CK

Explanation

This query is designed to detect potential social engineering attacks targeting Microsoft Teams and email systems. It focuses on identifying unusual patterns that could indicate an attack, such as a high volume of messages being sent in a short period. Here's a breakdown of what each part of the query does:

  1. Teams Monitoring:

    • The query checks for messages sent via Microsoft Teams in the past hour.
    • It looks for messages sent by external users (those with an "@" in their account display name).
    • It identifies messages that are uncommon for the user, suggesting unusual activity.
    • It groups these messages by the external tenant ID (the organization sending the messages).
    • If any external tenant sends more than 5 messages in an hour, it triggers an alert, indicating potential suspicious activity.

  2. Email Monitoring:

    • The query examines inbound emails received in the past hour.
    • It focuses on emails that were successfully delivered.
    • It counts the number of emails sent from each sender's address.
    • If a single sender sends more than 150 emails in an hour, it triggers an alert, suggesting a possible email spray attack.

Overall, this query helps detect early signs of social engineering attacks by monitoring for unusual patterns in Teams messages and email traffic, potentially allowing organizations to respond before a full-scale attack occurs.

Details

Steven Lim profile picture

Steven Lim

Released: November 29, 2024

Tables

CloudAppEventsEmailEvents

Keywords

TeamsEmailUsers

Operators

let|where==>ago()has!=extendtostring()parse_json()isnotempty()summarizecount()

Actions