Defending against TeamsPhisher attack with Microsoft 365 Defender Advanced Hunting
Steven Lim
VP - Infra and Cyber Ops | Top Cybersecurity LinkedIn Creators | KQLWizard
Change History:
22/07/2023 - The code has been enhanced to provide precise detection of external sharepoint link send via external organization teams message in an attempt to social engineering attack a Teams user
10/09/2023 - Microsoft announced NRT (Near Real Time) Defender custom detection for additional set of tables including CloudAppEvents table which means we can detect external teams organization sending in message at NRT. (Click here to view the information)
16/9/2023 - Added CloudApp Manual Query to provide a view of external organization Teams users sending messages containing links (potential sharepoint link used by TeamPhisher)
----------------------------------------------------------------------------------------
On 21 Jun 2023, JumpSec Labs published the following blog advisory: "Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware "
Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organizations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organization.
On 3 July 2023, (@Octoberfest73) a member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants.
The researchers reported their findings to Microsoft, assuming that the impact was significant enough to guarantee an immediate response from the tech giant. Although Microsoft confirmed the existence of the flaw, the reply was that "it does not meet the bar for immediate servicing," meaning that the company does not see an urgency in fixing it. The recommended action for organizations that use Microsoft Teams and do not need to maintain regular communication with external tenants is to disable this feature from "Microsoft Teams Admin Center > External Access."
For SecOps blue team, if your Microsoft tenant have Office 365 Defender enabled and safelinks for Teams enabled. You can easily use Microsoft 365 Defender Advanced Hunting KQL to hunt for all external organization inbound teams message (containing links) to your tenant Teams users. Using the below KQL query, you will be able to see all external organization inbound team message with URL links (plus mapping to your internal teams users), determine if the link was click was allow or block and take the respective remediation action.
Updated Code 22/07/2023:
The code has been enhanced to provide precise detection of external sharepoint link send via external organization teams message in an attempt to social engineering attack a Teams user.
领英推荐
Part 1 - Provide a complete listing of external organization teams users sending Teams messages that contain sharepoint links to your internal users. (Adjust the TimeStamp criteria to determine the amount of days to check back)
Part 2 - If part 1 return results, uncomment part 2 to determine if any of your internal users have clicked on those external sharepoint links
// Part 1 - detect precise external organization inbound Team messages which have sharepoint links
CloudAppEvents
| where Timestamp > ago(3d)?
| where Application contains "Microsoft Teams"
| where ActionType == "MessageCreatedHasLink"
| where AccountId contains "@"
| extend ExtUserDomain = tostring(split(AccountId, '@')[1])
| extend CommunicationType=tostring(RawEventData.CommunicationType)
| extend ClientIP=tostring(RawEventData.ClientIP)
| extend ExtUserIP = tostring(split(ClientIP, '::ffff:')[1])
| extend MsgURL=tostring(RawEventData.MessageURLs)
| extend TeamsMsgURL=substring(MsgURL, 2, strlen(MsgURL)-4)
| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
| project Timestamp, ExtUserDomain, AccountId, ExtUserIP, IPAddress, IsAnonymousProxy, CountryCode, City, ISP, IPTags, IPCategory, RawEventData, TeamsMsgURL
| where TeamsMsgURL contains "sharepoint.com"
| sort by Timestamp desc
// If part 1 return results uncomment Part 2 to check if internal users click on the external sharepoint links
// Part 2 - Correlate external organization inbound Team messages with sharepoint links with internal user click
//| join UrlClickEvents on $left.TeamsMsgURL == $right.Url
//| where Workload == "Teams"
To automate monitoring, you can convert part 1 of the code into a custom detection rule in Microsoft Defender and schedule it to run hourly or set at near real time.
Below show a live detection and an incident was triggered when tenant Teams user received an external organization Teams message (user identified) and the link to the external sharepoint link shown in the "Query Results" tab.
You can also create a manual activity view within CloudApp to provide you a view of external teams user sending Teams message with links (Potential sharepoint links used by TeamPhisher), you can view the link in the connector raw data field.
The KQL query would allow you to track down malicious external O365 domain and block them in your Teams global settings. If you would like to automate the detection of potential malicious inbound external organizations Teams message against your Threat Intelligence Feed (TAXI), you can read my post on "Detecting TeamsPhisher attack with Azure Sentinel ". Thank you
#microsoft #microsoft365 #microsoftdefender #phishing #socialengineeringattack #threathunting #defender #cybersecurity #cyberdefense #cyberattack #securityoperations #secops #teams
?
Entrepreneurial Leader & Cybersecurity Strategist
6 个月The enhancements in detection and the ability to set up near real-time monitoring are game-changers for maintaining a secure Teams environment.
Do we know why this query shows as no results found while we got a live external teams phishing?
Expert en génie civil chez ENEO Cameroun S.A. avec compétences en CAO
1 年?a fait 5 jours que mon compte [email protected] est bloqué