Hunting off the Red Banner

Hunting Microsoft Teams Threats
Social Engineering and Collaboration Platform Exploitation


Microsoft Teams has evolved from a collaboration tool into a critical attack vector for both cybercriminals and state-sponsored threat actors. Unlike traditional email phishing that security teams have learned to identify, Teams-based attacks exploit trusted internal communication channels, making them significantly harder to detect and far more convincing to end users.


The business impact extends well beyond individual compromises. Organizations face credential theft enabling persistent access, ransomware deployment through tech support scams, intellectual property exfiltration via trusted collaboration channels, regulatory violations from data breaches, and operational disruption when attackers impersonate IT personnel to manipulate legitimate business processes. Threat actors specifically target Teams because users inherently trust messages appearing within corporate communication platforms, security controls designed for email often do not extend to collaboration tools, external communication features create opportunities for attacker-controlled tenants to initiate contact, and the combination of chat, voice, video, and screen-sharing provides multiple social engineering vectors in a single platform.


Consider Teams as the digital equivalent of an office building with multiple unlocked side entrances. While the front lobby has security guards checking credentials, attackers are walking through conference room doors, wearing convincing visitor badges, and using legitimate building features like the phone system and meeting rooms to gain trust before stealing sensitive files from desks.


Without proactive threat hunting and enhanced detection capabilities, organizations remain vulnerable to tech support scams leading to ransomware, credential harvesting through phishing messages delivered via trusted collaboration channels, data exfiltration disguised as normal business communication, and persistence mechanisms that survive traditional incident response procedures. The consequences compound when attackers leverage compromised Teams access to move laterally across federated organizations or multi-tenant environments.


Security leaders should prioritize implementing advanced detection rules for anomalous Teams activity, enforcing stricter external access controls with verification requirements for anonymous and guest users, enabling Microsoft Defender for Office 365 protection specifically configured for Teams, establishing baseline behavioral analytics for normal collaboration patterns, and conducting tabletop exercises simulating Teams-based social engineering scenarios. Organizations operating in highly regulated industries or those with extensive external collaboration should consider engaging specialized threat hunting services to identify active compromises that traditional security controls may miss.


Hunting Controls & Observations

Defensive teams should pivot from traditional email-centric monitoring to collaboration platform telemetry, focusing on cross-tenant communication patterns, anomalous authentication behaviors, and the convergence of external contacts with suspicious process execution:


  • Endpoint (EDR/AV): Monitor for remote access tool installations following Teams interactions, particularly AnyDesk, TeamViewer, or Quick Assist launched shortly after external chat sessions, alongside malicious payload execution from Teams cache directories or temporary download locations.
  • Identity/IAM: Track device code authentication flows that may indicate token theft attempts, authentication attempts from newly federated domains, privilege escalation following external Teams communications, and modifications to MFA settings or alternate authentication methods.
  • Email Security & Proxy Logs: Correlate email bombing campaigns with subsequent Teams communication attempts, as threat actors frequently flood inboxes before impersonating IT support via Teams to offer assistance.
  • Firewall / NetFlow: Identify outbound connections to known remote monitoring and management tool infrastructure, file transfer services, or command and control infrastructure following Teams sessions with external users.
  • Cloud Audit Logs: Analyze Microsoft 365 audit logs for Teams-specific events including external chat initiations, guest user additions, federation policy changes, Teams app installations from unknown developers, and suspicious Graph API queries enumerating organizational structure.
  • Microsoft Defender for Office 365: Leverage MessageEvents, MessagePostDeliveryEvents, and UrlClickEvents tables to detect phishing URLs in Teams messages, malicious file attachments, and Zero-hour Auto Purge actions on Teams content.
  • Microsoft Defender for Cloud Apps: Monitor CloudAppEvents for Teams message patterns indicating data exfiltration, suspicious external domain communications, risky application consent grants with Teams permissions, and behavioral anomalies like mass downloads or impossible travel scenarios.

Behavioral indicators of the attack included the following observations:

  • External users with display names mimicking internal IT support roles such as Help Desk, Microsoft Security, or IT Support initiating one-on-one chat conversations with employees who recently experienced email bombing or account issues.
  • Rapid sequence of authentication events including device code flows, followed by successful authentication from geographically anomalous locations or unfamiliar user agents shortly after Teams communications.
  • Execution of portable executable files with names like binary.exe or remote access tools within minutes of external Teams calls or screen-sharing sessions, indicating social engineering success.
  • Abnormally high volume of Teams messages sent to external domains within short time windows, particularly one-on-one chats exceeding baseline thresholds, suggesting potential data exfiltration or C2 communications.
  • Installation of custom Teams applications or OAuth consent grants with elevated permissions including reading all users' chats, accessing calendar information, or modifying organizational settings without proper approval workflows.
  • Federation of new domains to organizational tenants using administrative PowerShell tools, enabling threat actors to forge authentication tokens and maintain persistent access.
  • Graph API queries enumerating Teams structure, user presence information, group memberships, and channel configurations originating from suspicious accounts or applications.
  • Creation of guest accounts in target tenants or addition of external credentials to legitimate Teams accounts to establish persistence mechanisms that survive password resets.

MITRE Enterprise ATT&CK Tactics and Techniques

The attack methodology targeting Microsoft Teams spans the entire MITRE ATT&CK framework, from reconnaissance through impact, leveraging collaboration platform features at each stage to achieve adversary objectives.


  • Reconnaissance (T1589 – Gather Victim Identity Information): Adversaries use open-source tools like TeamsEnum, TeamFiltration, ROADtools, and MSFT-Recon-RS to enumerate Teams users, tenant IDs, enabled domains, federation configurations, and user presence information, identifying weakly configured organizations and potential targets.
  • Resource Development (T1583 – Acquire Infrastructure): Threat actors establish fraudulent Microsoft Entra ID tenants with custom domains and professional branding to impersonate legitimate organizations, purchasing or compromising legitimate tenants to add credibility when impersonating internal IT support or security teams.
  • Initial Access (T1566 – Phishing): Attackers deliver phishing messages via Teams chat rather than email, using TeamsPhisher and AADInternals tools to send malicious links and payloads, often combined with voice or video calls impersonating help desk personnel following email bombing campaigns.
  • Initial Access (T1566.002 – Phishing: Spearphishing Link): Malicious URLs embedded in Teams messages direct users to credential harvesting sites or malware downloads, exploiting the trust users place in corporate collaboration platforms.
  • Execution (T1204.002 – User Execution: Malicious File): Victims execute remote access tools like AnyDesk or Quick Assist, or open malicious attachments delivered through Teams file sharing following social engineering conversations.
  • Persistence (T1098 – Account Manipulation): Attackers create guest users in target tenants, add alternate authentication methods to compromised accounts, or federate new domains to forge tokens and maintain access beyond incident response efforts.
  • Persistence (T1528 – Steal Application Access Token): Device code phishing campaigns capture authentication tokens by masquerading as Teams meeting invitations, enabling persistent access for extended token validity periods.
  • Privilege Escalation (T1078.004 – Valid Accounts: Cloud Accounts): Compromised Teams admin accounts provide elevated privileges for modifying federation settings, managing external access controls, and accessing organizational audit logs.
  • Credential Access (T1528 – Steal Application Access Token): Tools like AADInternals intercept OAuth tokens through custom phishing flows, enabling threat actors to request tokens for Teams and other Microsoft 365 services.
  • Credential Access (T1110 – Brute Force): Password spraying attacks target Teams accounts, with successful compromises enabling OAuth token requests for persistent platform access.
  • Credential Access (T1621 – Multi-Factor Authentication Request Generation): Attackers repeatedly generate MFA prompts until victims accept by mistake, or socially engineer help desk personnel to modify MFA settings through Teams communications.
  • Discovery (T1087 – Account Discovery): Tools like AzureHound enumerate Microsoft Entra ID configurations including users, roles, groups, applications, and devices through compromised Teams access, while attackers access Teams conversations directly via web client to gather intelligence.
  • Discovery (T1069.003 – Permission Groups Discovery: Cloud Groups): AADInternals and GraphRunner leverage Microsoft Graph API to discover Teams group structures, channel memberships, and associated permissions for targeting high-value accounts.
  • Lateral Movement (T1550.001 – Use Alternate Authentication Material: Application Access Token): Valid refresh tokens enable impersonation of users through Teams APIs, facilitating movement across federated organizations and multi-tenant environments.
  • Collection (T1114 – Email Collection): GraphRunner searches all Teams chats and channels to export conversations, while compromised accounts pivot to OneDrive and SharePoint data accessible to those users.
  • Collection (T1530 – Data from Cloud Storage Object): TeamFiltration includes exfiltration modules that download recent contacts, chats, and files through OneDrive and SharePoint using valid access tokens.
  • Command and Control (T1102 – Web Service): Cracked versions of Brute Ratel C4 establish command and control channels through Teams by using communication protocols to send and receive commands, while ConvoC2 embeds commands in Adaptive Card framework messages with hidden span tags.
  • Exfiltration (T1567 – Exfiltration Over Web Service): Attackers use Teams messages or shared links to direct sensitive data to cloud storage under their control, disguising exfiltration as normal collaboration activity.
  • Impact (T1486 – Data Encrypted for Impact): Ransomware operators gain initial access through Teams-based tech support scams, deploying payloads like DarkGate, ReedBed malware loaders, or 3AM ransomware following successful social engineering.
  • Impact (T1499 – Endpoint Denial of Service): Email bombing creates operational disruption and urgency that threat actors exploit to increase success rates of subsequent Teams-based social engineering.

Controls & Hunting Indicators

Organizations can observe Microsoft Teams threat activity across multiple security control domains, requiring coordinated visibility across identity, endpoint, network, cloud, and application layers to detect the full attack chain.


Endpoint Controls


  • Microsoft Defender for Endpoint provides telemetry through DeviceProcessEvents for monitoring remote access tool execution, particularly focusing on AnyDesk, TeamViewer, Quick Assist, RemotePC, and other RMM tools launched following Teams communication sessions.
  • Endpoint Detection and Response solutions capture DeviceFileEvents for malicious payloads written to Teams cache directories including paths like %LocalAppData%\Microsoft\Teams\, %AppData%\Microsoft\Teams\, and temporary download locations used by the Teams client.
  • PowerShell logging including script block logging Event ID 4104 and module logging Event ID 4103 detects administrative tools like AADInternals, TeamFiltration, and GraphRunner being loaded or executed following compromise.
  • Sysmon Event ID 1 for process creation, Event ID 3 for network connections, and Event ID 11 for file creation provide granular endpoint telemetry for correlating Teams activity with suspicious process behaviors.
  • Application control solutions like AppLocker or Windows Defender Application Control can restrict execution of portable executables and unsigned binaries frequently delivered through Teams social engineering campaigns.

Network Controls


  • Firewall logs capture outbound connections to remote access tool infrastructure, identifying communication with AnyDesk servers, TeamViewer endpoints, or custom RMM platforms shortly after Teams sessions involving external users.
  • Web proxy logs reveal connections to credential phishing sites, malicious download servers, or adversary-controlled cloud storage following URL clicks within Teams messages.
  • DNS query logs identify resolution requests for suspicious domains, particularly newly registered domains mimicking legitimate Microsoft services or organizational infrastructure used in Teams phishing campaigns.
  • SSL/TLS inspection capabilities enable deep packet inspection of encrypted Teams communications to identify command and control channels using Teams protocols or Adaptive Card framework for data exfiltration.
  • NetFlow data from network switches and routers provides visibility into unusual data transfer volumes following Teams communications, indicating potential exfiltration to external cloud storage services.

Identity & Access Controls


  • Microsoft Entra ID audit logs track Windows Event ID 4624 for successful logons and Event ID 4625 for failed logon attempts, particularly focusing on device code authentication flows and authentication from unfamiliar user agents or geographic locations following Teams interactions.
  • Azure Active Directory sign-in logs reveal impossible travel scenarios where users authenticate from geographically distant locations within short time windows, often indicating token theft following Teams-based phishing.
  • Windows Security Event ID 4672 for special privileges assigned to new logon detects privilege escalation following account compromise via Teams social engineering.
  • Windows Security Event ID 4720 for user account creation and Event ID 4728 for security-enabled global group membership changes identify attackers adding guest accounts or modifying group memberships to maintain access.
  • Microsoft Entra ID Protection generates sign-in risk and user risk detections including anonymous IP address, malware-linked IP address, atypical travel, and leaked credentials that correlate with Teams compromise indicators.
  • Privileged Identity Management logs capture just-in-time access requests and role activations, detecting unauthorized elevation attempts following Teams admin account compromise.

Cloud & SaaS


  • Microsoft 365 Unified Audit Log records Teams-specific activities including MessageSent, ChatCreated, MemberAdded, TeamCreated, and AppInstalled operations that provide comprehensive visibility into collaboration platform interactions.
  • Microsoft Defender for Office 365 populates MessageEvents, MessagePostDeliveryEvents, MessageUrlInfo, and UrlClickEvents tables with Teams message metadata, threat detection results, and URL click tracking for identifying phishing attempts.
  • Microsoft Defender for Cloud Apps CloudAppEvents table captures Teams activities including external communications, message patterns, meeting participation, and Graph API queries when Microsoft 365 connector is properly configured.
  • Azure Activity Logs track federation policy changes, domain additions, and administrative PowerShell operations against Teams tenants that may indicate attacker persistence efforts.
  • Microsoft Graph API audit logs reveal programmatic queries enumerating organizational structure, Teams membership, user presence, and permissions performed by compromised accounts or malicious applications.

Application & Service Logs


  • SharePoint Online audit logs capture file operations within Microsoft Teams Chat Files including FileUploaded, FileDownloaded, and FileAccessed events that may indicate data collection or exfiltration activity.
  • OneDrive for Business logs track sharing activities and external access to files shared via Teams messages, identifying potential data leakage to unauthorized recipients.
  • Microsoft Teams admin center audit logs provide visibility into policy changes, external access configuration modifications, and admin role assignments that attackers leverage for persistence.
  • Application registration logs in Microsoft Entra ID identify new custom applications created with Teams permissions or consent grants to OAuth applications requesting access to chats, calendars, or user profiles.
  • Exchange Online Protection logs reveal email bombing campaigns that frequently precede Teams-based social engineering, showing correlation between email flood events and subsequent Teams contact attempts.

Known Indicators of Compromise


The following IOCs have been identified and can be used for threat hunting:

  • File Hashes:
    No specific file hashes are provided in the source material as threat actors leverage legitimate remote access tools and custom malware variants. Organizations should focus on behavioral detection rather than static IOC matching for Teams threats.
  • Tool Names:
    TeamsPhisher (red teaming tool repurposed for phishing), AADInternals (admin toolkit abused for token theft), TeamFiltration (Microsoft 365 exploitation framework), TeamsEnum (reconnaissance tool), MSFT-Recon-RS (tenant enumeration), GraphRunner (Graph API exploitation), AzureHound (Azure AD enumeration), ConvoC2 (Teams-based C2 framework), Brute Ratel C4 (commercial C2 with Teams integration), DarkGate (malware loader), ReedBed (malware loader), 3AM ransomware (BlackSuit rebrand).
  • Behavioral Patterns:
    Display names in Teams chats containing keywords: "Microsoft Security", "Help Desk", "Help Desk Team", "Help Desk IT", "IT Support", "Microsoft Support", "Working from Home"; one-on-one external chats initiated from newly created tenants or trial subscriptions; device code authentication flows with user agents indicating AADInternals or custom applications.
  • Suspicious Domains:
    Newly federated domains added to organizational tenants within 48 hours of suspicious activity; domains with typosquatting characteristics mimicking legitimate Microsoft or organizational infrastructure; trial-only Microsoft 365 tenants with no purchased seats attempting external communications.
  • File Paths:
    %LocalAppData%\Microsoft\Teams\Cache\, %LocalAppData%\Microsoft\Teams\Downloads\, %AppData%\Microsoft\Teams\, %Temp%\TeamsMeetingDownload\, paths containing portable executable names like binary.exe or portable.exe.
  • Process Names:
    AnyDesk.exe, TeamViewer.exe, RemotePC.exe, ScreenConnect.exe, LogMeIn.exe, QuickAssist.exe when launched within 30 minutes of Teams external communication events.

Threat Hunting Queries


The following queries translate behavioral indicators into actionable detection logic for Microsoft security platforms, enabling proactive threat hunting and automated alerting on Teams-related attack activity. Each query targets specific adversary techniques while providing tuning guidance to reduce false positives in production environments.



Query 1: Detect Potential Tech Support Impersonation in Teams

  • Behavior Targeted: External users with display names mimicking IT support roles initiating one-on-one chats
  • MITRE ATT&CK: T1566 (Phishing)
  • Expected Results: One-on-one Teams chats from external users with display names containing IT support keywords
  • False Positive Likelihood: Medium – Legitimate external MSPs or partners may use these keywords. Review chat content and recipient response patterns to confirm malicious intent.

Microsoft Defender/Sentinel (KQL)

// Detects external Teams chats with IT support impersonation indicators
// Data Tables: MessageEvents, CloudAppEvents
// Tune by adding known legitimate partner domains to exclusion list
let suspiciousKeywords = dynamic(["help desk", "it support", "microsoft security", 
    "tech support", "helpdesk", "security team", "working from home"]);
let timeRange = 7d;
let trustedPartners = dynamic(["legitpartner.com", "knownmsp.com"]);
// Check MessageEvents for external threads with suspicious display names
MessageEvents
| where Timestamp > ago(timeRange)
| where IsExternalThread == true
| where ThreadType == "Chat"
| where SenderDisplayName has_any (suspiciousKeywords) 
    or RecipientDetails has_any (suspiciousKeywords)
| extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
| where SenderDomain !in (trustedPartners)
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, 
    ThreadType, IsExternalThread, ReportId
| sort by Timestamp desc

Query 2: Correlate Teams External Chat with RMM Tool Execution

  • Behavior Targeted: Remote access tool execution following external Teams communications
  • MITRE ATT&CK: T1204.002 (User Execution: Malicious File)
  • Expected Results: Devices where RMM tools launched within 30 minutes after external Teams chats
  • False Positive Likelihood: Low – Correlation between external chat and immediate RMM execution is strong indicator, but verify business justification for legitimate remote support scenarios.

Microsoft Defender/Sentinel (KQL)

// Correlates external Teams communications with suspicious RMM tool execution
// Data Tables: MessageEvents, DeviceProcessEvents
// Adjust timeWindow based on your environment's typical support workflows
let rmmTools = dynamic(["anydesk.exe", "teamviewer.exe", "quickassist.exe", 
    "remotepc.exe", "screenconnect.exe", "logmein.exe", "zohoassist.exe"]);
let timeWindow = 30m;
let lookback = 7d;
// Identify external Teams chats
let externalChats = MessageEvents
| where Timestamp > ago(lookback)
| where IsExternalThread == true
| where ThreadType == "Chat"
| extend RecipientUPN = tostring(parse_json(RecipientDetails)[0].EmailAddress)
| project ChatTime=Timestamp, RecipientUPN, SenderEmailAddress, SenderDisplayName;
// Find RMM tool executions
let rmmExecution = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ (rmmTools)
| project ExecutionTime=Timestamp, DeviceName, AccountUpn, FileName, 
    ProcessCommandLine, InitiatingProcessFileName;
// Correlate external chat followed by RMM execution within time window
externalChats
| join kind=inner (rmmExecution) on $left.RecipientUPN == $right.AccountUpn
| where ExecutionTime between (ChatTime .. (ChatTime + timeWindow))
| project ChatTime, ExecutionTime, TimeDelta=datetime_diff('minute', ExecutionTime, ChatTime),
    RecipientUPN, DeviceName, FileName, ProcessCommandLine, 
    SenderEmailAddress, SenderDisplayName
| sort by ChatTime desc

Query 3: Detect High-Volume Teams Messaging to External Domains

  • Behavior Targeted: Abnormal message volume to external recipients suggesting data exfiltration
  • MITRE ATT&CK: T1567 (Exfiltration Over Web Service)
  • Expected Results: User accounts sending unusually high volumes of Teams messages to external domains
  • False Positive Likelihood: Medium – Legitimate business partnerships may generate high message volumes. Establish baseline thresholds per user role and adjust messageThreshold accordingly.

Microsoft Defender/Sentinel (KQL)

// Identifies potential data exfiltration through abnormal Teams messaging patterns
// Data Tables: CloudAppEvents
// Baseline your environment to establish normal message thresholds
let timeWindow = 1h;
let messageThreshold = 20; // Adjust based on organizational baselines
let lookback = 1d;
let trustedDomains = dynamic(["trustedpartner.com", "anothertrusted.com"]);
CloudAppEvents
| where Timestamp > ago(lookback)
| where ActionType == "MessageSent"
| where Application == "Microsoft Teams"
| where isnotempty(AccountObjectId)
| extend HasForeignTenantUsers = tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers)
| where HasForeignTenantUsers == "true"
| extend CommunicationType = tostring(parse_json(RawEventData).CommunicationType)
| where CommunicationType in ("OneOnOne", "GroupChat")
| extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])
| where RecipientDomain !in (trustedDomains)
| extend SenderUPN = tostring(parse_json(RawEventData).UserId)
| summarize MessageCount = count() by bin(Timestamp, timeWindow), 
    SenderUPN, RecipientDomain, AccountObjectId
| where MessageCount > messageThreshold
| project Timestamp, MessageCount, SenderUPN, RecipientDomain
| sort by MessageCount desc

Query 4: Detect Device Code Authentication Following Teams Contact

  • Behavior Targeted: Device code phishing attempts via Teams messages to steal authentication tokens
  • MITRE ATT&CK: T1528 (Steal Application Access Token)
  • Expected Results: Device code authentication events correlated with Teams messages containing authentication prompts
  • False Positive Likelihood: Low – Device code flow is uncommon in enterprise environments. Legitimate use cases include Azure CLI authentication or developer scenarios.

Microsoft Defender/Sentinel (KQL)

// Detects device code authentication flows that may indicate token theft
// Data Tables: SigninLogs, AADNonInteractiveUserSignInLogs, MessageEvents
// Review authentication patterns and correlate with Teams communications
let lookback = 7d;
let deviceCodeFlows = SigninLogs
| where TimeGenerated > ago(lookback)
| where AuthenticationDetails has "Device code"
    or AppDisplayName has "Device Code"
| extend DeviceCodeTime = TimeGenerated
| project DeviceCodeTime, UserPrincipalName, IPAddress, Location, 
    AppDisplayName, DeviceDetail, AuthenticationDetails;
// Correlate with Teams external communications
let externalTeamsContacts = MessageEvents
| where Timestamp > ago(lookback)
| where IsExternalThread == true
| extend RecipientUPN = tostring(parse_json(RecipientDetails)[0].EmailAddress)
| project TeamsContactTime=Timestamp, RecipientUPN, SenderEmailAddress, 
    SenderDisplayName, IsExternalThread;
// Join device code attempts with recent Teams contacts
deviceCodeFlows
| join kind=inner (externalTeamsContacts) 
    on $left.UserPrincipalName == $right.RecipientUPN
| where DeviceCodeTime >= TeamsContactTime
| where datetime_diff('hour', DeviceCodeTime, TeamsContactTime) <= 24
| project DeviceCodeTime, TeamsContactTime, 
    TimeDelta=datetime_diff('hour', DeviceCodeTime, TeamsContactTime),
    UserPrincipalName, IPAddress, Location, SenderEmailAddress, 
    SenderDisplayName, AppDisplayName
| sort by DeviceCodeTime desc

Query 5: Identify Malicious Teams Content via Threat Detection

  • Behavior Targeted: Phishing URLs, malware, or spam delivered through Teams messages
  • MITRE ATT&CK: T1566.002 (Phishing: Spearphishing Link)
  • Expected Results: Teams messages flagged by Microsoft Defender for Office 365 as containing threats
  • False Positive Likelihood: Low – Defender for Office 365 threat classifications are high confidence. Review for potential false positives in testing environments.

Microsoft Defender/Sentinel (KQL)

// Surfaces Teams messages detected as malicious by Defender for Office 365
// Data Tables: MessageEvents, MessagePostDeliveryEvents
// Monitor for patterns indicating coordinated campaigns
let lookback = 7d;
MessageEvents
| where Timestamp > ago(lookback)
| where ThreatTypes has "Phish"
    or ThreatTypes has "Malware"
    or ThreatTypes has "Spam"
| extend ThreatTypesList = split(ThreatTypes, ",")
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, 
    IsOwnedThread, ThreadType, IsExternalThread, ThreatTypesList, 
    DetectionMethods, ReportId
| extend RecipientCount = array_length(parse_json(RecipientDetails))
| sort by Timestamp desc

Source and Credits

This summary is based on Microsoft Security's research article "Disrupting threats targeting Microsoft Teams" published on October 7, 2025.

The analysis incorporates threat intelligence on named threat actors including Storm-1811, Storm-2372, Storm-0324, Storm-1674, Midnight Blizzard, Void Blizzard, Peach Sandstorm, Octo Tempest, and Sangria Tempest, as well as ransomware variants including 3AM (BlackSuit) and associated malware families DarkGate and ReedBed.