Detect Possible Teams Bec Attack By High Teams Recipients

# *Detect Possible Teams BEC Attack by High Teams Recipients* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ | #### Description An external sender suddenly increasing the amount of internal users they are sending messages to, can indicate that external user being compromised and used for BEC Attacks. In these kind of attacks compromised accounts are used to send phishing links or attachments to users in business relationships. #### Risk When the external user is sending a lot of messages to different internal users at a small time frame, these messages might be malicious. #### Author <Optional> - **Name:** Robbe Van den Daele - **Github:** https://github.com/RobbeVandenDaele - **Twitter:** https://x.com/RobbeVdDaele - **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/ - **Website:** https://hybridbrothers.com/ #### References - https://hybridbrothers.com - https://thecollective.eu ## Defender XDR ```KQL // Possible BEC detection by high teams recipients let increase_percentage = 200; let base = ( MessageEvents | where TimeGenerated > ago(14d) // Focus on chat messsages | where ThreadType == "chat" // Only return external users sending messages | join kind=leftanti ( IdentityInfo | where TimeGenerated > ago(14d) | distinct AccountObjectId ) on $left.SenderObjectId == $right.AccountObjectId // Make a set of all the chats they are posting to, for every day | summarize ChatSet = make_set(ThreadId) by SenderEmailAddress, bin(TimeGenerated, 1d) // Count the amount of chats they posted to for each day | extend ChatAmmount = array_length(ChatSet) ); // Get the average of send chats per external user per day let averageBySender = ( base | summarize AverageChatsBySender = avg(ChatAmmount) by SenderEmailAddress ); // Check if the sender dubbled their chats to internal users compared to their baseline base | where TimeGenerated > ago(1d) | join kind=inner averageBySender on SenderEmailAddress | where ChatAmmount > AverageChatsBySender * (increase_percentage / 100) ```

Explanation

This query is designed to detect potential Business Email Compromise (BEC) attacks within Microsoft Teams by identifying external users who have suddenly increased the number of internal recipients they are sending messages to. Here's a simplified breakdown of the query:

Objective: The goal is to identify external users who have significantly increased their messaging activity to internal users, which could indicate a compromised account being used for phishing attacks.
Data Collection:
- The query examines message events from the past 14 days, focusing specifically on chat messages.
- It filters out messages from external users by excluding those who appear in the internal identity information.
Analysis:
- For each external sender, it calculates the number of different chat threads they participate in each day.
- It then computes the average number of chat threads each external sender engages with per day over the 14-day period.
Detection:
- The query looks at the messaging activity from the past day and checks if any external sender has more than doubled their average daily chat activity compared to the previous 14 days.
- If an external sender's chat activity exceeds twice their average, they are flagged as potentially suspicious.
Outcome: This helps identify external accounts that might be compromised and used to send phishing messages to internal users, allowing for further investigation and mitigation.

Details

Robbe Van den Daele

Released: February 10, 2026

Tables

MessageEventsIdentityInfo

Keywords

MessageEventsTimeGeneratedThreadTypeIdentityInfoAccountObjectIdSenderObjectIdSenderEmailAddressThreadIdChatSetChatAmmountAverageChatsBySender

Operators

letagowherejoinkind=leftantidistinctonsummarizemake_setbinextendarray_lengthavgkind=inner

KQL Search