M365 Teams Rogue Help Desk Chat Created
Identifies a one-on-one Microsoft Teams chat created by a user from a foreign tenant whose display name, member profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant Teams external access to impersonate support personnel and socially engineer victims into granting remote access or disclosing credentials.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/22"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2026/06/22"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a one-on-one Microsoft Teams chat created by a user from a foreign tenant whose display name, member
11profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant Teams
12external access to impersonate support personnel and socially engineer victims into granting remote access or
13disclosing credentials.
14"""
15false_positives = [
16 """
17 Legitimate external partners or managed service providers with help desk-style display names may trigger this rule.
18 Validate the sender tenant, domain, and business relationship before closing as benign.
19 """,
20]
21from = "now-9m"
22index = ["logs-o365.audit-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "M365 Teams Rogue Help Desk Chat Created"
26note = """## Triage and analysis
27
28### Investigating M365 Teams Rogue Help Desk Chat Created
29
30Threat actors create external Microsoft 365 tenants and initiate unsolicited one-on-one Teams chats while impersonating
31IT help desk or Microsoft security personnel. These chats often precede vishing, Quick Assist abuse, or malicious link
32delivery.
33
34Review `user.email`, `user.domain`, `o365.audit.Members.DisplayName`, `o365.audit.ChatThreadId`, and
35`o365.audit.ParticipantInfo`. Correlate follow-on `MessageSent` events for `source.ip` and `source.geo`, and
36`CallParticipantDetail` events sharing the same `o365.audit.CallId` or chat thread for vishing activity.
37
38#### Possible investigation steps
39
40- Identify the external sender from `user.email`, `user.domain`, and `o365.audit.Members` and determine whether the
41 tenant or domain is known and trusted.
42- Compare `user.name` to `o365.audit.Members.DisplayName` — actors often use a lowercase mailbox alias such as
43 `helpdesk` while presenting as `Help Desk` in Teams.
44- Confirm `o365.audit.ParticipantInfo.HasForeignTenantUsers` is true and that no guest users are involved.
45- Pivot on `o365.audit.ChatThreadId` for `MessageSent` and `CallParticipantDetail` events in the same session.
46- Review `MessageSent` `source.ip` and `source.geo` for unexpected origin countries relative to the sender profile.
47- Correlate with mail-flood, MFA fatigue, or URL click alerts for the targeted user in the same time window.
48- Review whether the victim accepted the chat or responded, and hunt for follow-on remote support tool execution on
49 their endpoint.
50- Check whether the sender tenant appears newly created, trial-based, or otherwise anomalous for your environment.
51
52### False positive analysis
53
54- Approved external support vendors may use help desk-style display names. Maintain an allowlist of trusted external
55 tenants or sender domains when recurring benign matches occur.
56- The `user.email` and `user.name` impersonation clauses target external mailbox aliases such as `helpdesk@`. Prefer
57 exceptions anchored on verified tenant IDs or sender domains rather than broad name-based exclusions.
58
59### Response and remediation
60
61- Warn the targeted user not to engage and confirm whether they accepted the chat or shared credentials.
62- Block or restrict the external tenant via Teams federation policy if malicious.
63- Hunt for additional `ChatCreated` events from the same external tenant across the organization.
64- Review Teams external access settings and consider blocking trial tenants or restricting federation to an allowlist."""
65
66references = [
67 "https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/",
68 "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/",
69]
70risk_score = 73
71rule_id = "e8e7b6b6-78b0-4015-97fe-c2f28468e0d4"
72severity = "high"
73tags = [
74 "Domain: Cloud",
75 "Domain: SaaS",
76 "Data Source: Microsoft 365",
77 "Data Source: Microsoft 365 Audit Logs",
78 "Use Case: Threat Detection",
79 "Tactic: Initial Access",
80 "Resources: Investigation Guide",
81]
82timestamp_override = "event.ingested"
83type = "query"
84
85query = '''
86data_stream.dataset:o365.audit and event.action:"ChatCreated" and event.provider:"MicrosoftTeams" and event.outcome:"success" and
87 o365.audit.ParticipantInfo.HasOtherGuestUsers:false and o365.audit.ParticipantInfo.HasGuestUsers:false and
88 o365.audit.ParticipantInfo.HasForeignTenantUsers:true and o365.audit.CommunicationType:"OneOnOne" and
89 (
90 o365.audit.Members:(
91 "Help Desk" or "Help Desk Team" or "Help Desk IT" or "IT Help Desk" or
92 "Microsoft Security" or "Microsoft Security" or "Microsoft Support"
93 ) or
94 user.email:(
95 *helpdesk* or *help.desk* or *help-desk* or *help_desk* or
96 *ithelp* or *it.help* or *itsupport* or *it.support* or *it-support*
97 ) or
98 user.name:(*helpdesk* or *help-desk* or *ithelp* or *itsupport*)
99 )
100'''
101
102[rule.investigation_fields]
103field_names = [
104 "@timestamp",
105 "user.name",
106 "user.email",
107 "user.domain",
108 "user.id",
109 "o365.audit.Members",
110 "o365.audit.Members.DisplayName",
111 "o365.audit.ChatThreadId",
112 "o365.audit.ResourceTenantId",
113 "o365.audit.CommunicationType",
114 "o365.audit.ParticipantInfo.HasForeignTenantUsers",
115 "o365.audit.ParticipantInfo.HasGuestUsers",
116 "o365.audit.ParticipantInfo.HasOtherGuestUsers",
117 "o365.audit.ParticipantInfo.ParticipatingDomains",
118 "event.action",
119 "event.provider",
120]
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124
125[[rule.threat.technique]]
126id = "T1566"
127name = "Phishing"
128reference = "https://attack.mitre.org/techniques/T1566/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1566.003"
132name = "Spearphishing via Service"
133reference = "https://attack.mitre.org/techniques/T1566/003/"
134
135[rule.threat.tactic]
136id = "TA0001"
137name = "Initial Access"
138reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Investigating M365 Teams Rogue Help Desk Chat Created
Threat actors create external Microsoft 365 tenants and initiate unsolicited one-on-one Teams chats while impersonating IT help desk or Microsoft security personnel. These chats often precede vishing, Quick Assist abuse, or malicious link delivery.
Review user.email, user.domain, o365.audit.Members.DisplayName, o365.audit.ChatThreadId, and
o365.audit.ParticipantInfo. Correlate follow-on MessageSent events for source.ip and source.geo, and
CallParticipantDetail events sharing the same o365.audit.CallId or chat thread for vishing activity.
Possible investigation steps
- Identify the external sender from
user.email,user.domain, ando365.audit.Membersand determine whether the tenant or domain is known and trusted. - Compare
user.nametoo365.audit.Members.DisplayName— actors often use a lowercase mailbox alias such ashelpdeskwhile presenting asHelp Deskin Teams. - Confirm
o365.audit.ParticipantInfo.HasForeignTenantUsersis true and that no guest users are involved. - Pivot on
o365.audit.ChatThreadIdforMessageSentandCallParticipantDetailevents in the same session. - Review
MessageSentsource.ipandsource.geofor unexpected origin countries relative to the sender profile. - Correlate with mail-flood, MFA fatigue, or URL click alerts for the targeted user in the same time window.
- Review whether the victim accepted the chat or responded, and hunt for follow-on remote support tool execution on their endpoint.
- Check whether the sender tenant appears newly created, trial-based, or otherwise anomalous for your environment.
False positive analysis
- Approved external support vendors may use help desk-style display names. Maintain an allowlist of trusted external tenants or sender domains when recurring benign matches occur.
- The
user.emailanduser.nameimpersonation clauses target external mailbox aliases such ashelpdesk@. Prefer exceptions anchored on verified tenant IDs or sender domains rather than broad name-based exclusions.
Response and remediation
- Warn the targeted user not to engage and confirm whether they accepted the chat or shared credentials.
- Block or restrict the external tenant via Teams federation policy if malicious.
- Hunt for additional
ChatCreatedevents from the same external tenant across the organization. - Review Teams external access settings and consider blocking trial tenants or restricting federation to an allowlist.
References
-
Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access. Once inside, attackers can abuse legitimate tools and standard admin protocols to move laterally and exfiltrate data while appearing as routine IT support—activity Microsoft Defender helps detect across Teams, endpoint, and identity telemetry.
Read More -
Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.
Read More
Related rules
- M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)
- M365 Identity Device Code Grant with Unusual User and ASN
- M365 or Entra ID Identity Sign-in from a Suspicious Source
- M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)
- M365 Exchange Inbox Rule with Obfuscated Name