An external Microsoft Teams member was added then removed

microsoft-365

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a Teams member is added and then removed within a short amount of time. An insider threat might add an external account to exfiltrate data then quickly remove the user to hide their tracks.

Strategy

Using the THEN operator, monitor Microsoft Teams audit logs to look for events with an @evt.name value of MemberAdded then MemberRemoved, where the Members.UPN has #EXT# within it. The EXT value is used to denote that a user is an external user.

Triage and response

  1. Determine if the user {{@usr.email}} intended to add and remove the external user and if the external user should indeed have been added.
  2. If {{@usr.email}} didn’t intend to add or remove the external user or the external user is not approved:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Investigate the activities that were performed by the external user within the time period in which they were added and removed.
    • Begin your organization’s incident response process and investigate.