M365 Teams Rogue Help Desk Chat Created

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

M365 Teams Rogue Help Desk Chat Created

edit

Identifies a one-on-one Microsoft Teams chat created by a user from a foreign tenant whose display name, member profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant Teams external access to impersonate support personnel and socially engineer victims into granting remote access or disclosing credentials.

Rule type: query

Rule indices:

logs-o365.audit-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: SaaS
Data Source: Microsoft 365
Data Source: Microsoft 365 Audit Logs
Use Case: Threat Detection
Tactic: Initial Access
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating M365 Teams Rogue Help Desk Chat Created

Threat actors create external Microsoft 365 tenants and initiate unsolicited one-on-one Teams chats while impersonating IT help desk or Microsoft security personnel. These chats often precede vishing, Quick Assist abuse, or malicious link delivery.

Review user.email, user.domain, o365.audit.Members.DisplayName, o365.audit.ChatThreadId, and o365.audit.ParticipantInfo. Correlate follow-on MessageSent events for source.ip and source.geo, and CallParticipantDetail events sharing the same o365.audit.CallId or chat thread for vishing activity.

Possible investigation steps

Identify the external sender from user.email, user.domain, and o365.audit.Members and determine whether the tenant or domain is known and trusted.
Compare user.name to o365.audit.Members.DisplayName — actors often use a lowercase mailbox alias such as helpdesk while presenting as Help Desk in Teams.
Confirm o365.audit.ParticipantInfo.HasForeignTenantUsers is true and that no guest users are involved.
Pivot on o365.audit.ChatThreadId for MessageSent and CallParticipantDetail events in the same session.
Review MessageSent source.ip and source.geo for unexpected origin countries relative to the sender profile.
Correlate with mail-flood, MFA fatigue, or URL click alerts for the targeted user in the same time window.
Review whether the victim accepted the chat or responded, and hunt for follow-on remote support tool execution on their endpoint.
Check whether the sender tenant appears newly created, trial-based, or otherwise anomalous for your environment.

False positive analysis

Approved external support vendors may use help desk-style display names. Maintain an allowlist of trusted external tenants or sender domains when recurring benign matches occur.
The user.email and user.name impersonation clauses target external mailbox aliases such as helpdesk@. Prefer exceptions anchored on verified tenant IDs or sender domains rather than broad name-based exclusions.

Response and remediation

Warn the targeted user not to engage and confirm whether they accepted the chat or shared credentials.
Block or restrict the external tenant via Teams federation policy if malicious.
Hunt for additional ChatCreated events from the same external tenant across the organization.
Review Teams external access settings and consider blocking trial tenants or restricting federation to an allowlist.

Rule query

edit

data_stream.dataset:o365.audit and event.action:"ChatCreated" and event.provider:"MicrosoftTeams" and event.outcome:"success" and
  o365.audit.ParticipantInfo.HasOtherGuestUsers:false and o365.audit.ParticipantInfo.HasGuestUsers:false and
  o365.audit.ParticipantInfo.HasForeignTenantUsers:true and o365.audit.CommunicationType:"OneOnOne" and
  (
    o365.audit.Members:(
      "Help Desk" or "Help Desk Team" or "Help Desk IT" or "IT Help Desk" or
      "Microsoft Security" or "Microsoft  Security" or "Microsoft Support"
    ) or
    user.email:(
      *helpdesk* or *help.desk* or *help-desk* or *help_desk* or
      *ithelp* or *it.help* or *itsupport* or *it.support* or *it-support*
    ) or
    user.name:(*helpdesk* or *help-desk* or *ithelp* or *itsupport*)
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/
Sub-technique:
- Name: Spearphishing via Service
- ID: T1566.003
- Reference URL: https://attack.mitre.org/techniques/T1566/003/

« M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device) Multiple DHCP Servers Responding to the Same Transaction »