A potentially malicious file was sent in a Microsoft Teams message

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a potentially malicious file is sent in Microsoft Teams. Threat actors sometimes send malicious files to unsuspecting users as a means of initial access.

Strategy

Monitor Microsoft 365 Sharepoint audit logs to look for the operation FileUploaded. When a file is shared in Teams, it utilizes the underlying Microsoft Office APIs to upload the file using SharePoint. The Teams file uploads are audited within the Microsoft Office’s activity log as SharePoint file operations. To differentiate Teams file uploads from those of other services, we use the AppAccessContext.ClientAppName attribute with the value of Microsoft Teams Chat Files. This detection identifies when a file with any of the following extensions is uploaded:

  • exe
  • msi
  • bin
  • dll
  • bat
  • ps1
  • vbs
  • js
  • scr
  • zip
  • rar
  • 7z
  • cab
  • tar
  • gz
  • bz2

Triage and response

  1. Investigate the potentially malicious file: {{@SourceFileName}} that was sent by viewing the Sharepoint link: {{@ObjectId}} containing the file.
  2. Determine if the user {{@usr.email}} intended to send the observed file.
  3. If {{@usr.email}} didn’t intend to send the observed file or happens to be a guest or external user:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.