Teams Social Engineering Detection: New Hunting Queries for RMM-Based Attacks

What Changed

Microsoft Security Research published 2 new hunting queries targeting Teams-based social engineering attacks that leverage Remote Monitoring and Management (RMM) tools for initial access. Both queries are placed in dual locations to ensure availability in both Microsoft Sentinel and Microsoft Defender XDR Advanced Hunting.

Detection Logic

Hunt for RMM tool execution following Teams messages:

• Primary data sources: MessageEvents (Teams messages) and DeviceProcessEvents
• Core logic: joins Teams message recipients with subsequent RMM tool execution (QuickAssist, AnyDesk, TeamViewer) within a 30-minute window using Entra account object ID correlation
• Entity types: Account, Device, Process

Hunt for alerts correlated with Teams messages:

• Primary data sources: MessageEvents, CloudAppEvents, AlertEvidence
• Core logic: correlates Teams message activity with downstream Defender alerts using three parallel identity matching branches (AccountObjectId, UPN, ChatThreadId) within configurable time windows
• Entity types: Account, Alert, Chat

MITRE Mapping

• T1566 - Phishing: Detects Teams message-based lure delivery
• T1219 - Remote Access Software: Identifies RMM tool execution following social engineering
• T1078 - Valid Accounts: Covers compromised account activity patterns

Security Impact

These queries address the Storm-1811 / Black Basta attack pattern documented in Microsoft’s cross-tenant helpdesk impersonation research. SOC teams gain visibility into:

• Teams phishing campaigns leading to RMM tool deployment
• First-contact external chat patterns that precede security incidents
• Cross-platform correlation between collaboration tool activity and endpoint compromise signals

Queries include tunable parameters for time windows and RMM tool lists to adapt to environment-specific attack patterns.

Affected Files

Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Hunt for RMM tool execution following Teams messages.yaml
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Hunt for alerts correlated with Teams messages.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for RMM tool execution following Teams messages.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for alerts correlated with Teams messages.yaml