Phishing attacks in Microsoft Teams and external federation

A while back a customer of ours got targeted with a phishing attack that came through Microsoft Teams. What happened was that the attackers created a new O365 organization and named the users in their tenant like the people working in the IT department in the customer organization.

By default, Microsoft Teams has a federation open with all external organizations, which means that anyone from any tenant can reach your end-users directly and send them a message.

This is a screenshot from my own testing, where I just created an O365 organization, named one of my users Marius (IT Avdelingen) IT Department in Norwegian… in O365 which will then appear when the user gets a message in Microsoft Teams. While it does say external in the message it might not capture the attention of the end-users when they get the message.

No alternative text description for this image

While in Exchange Online Protection or depending on what kind of Secure Email Gateway service we are using we have many different security mechanisms to avoid blocking phishing attacks. In Microsoft Teams, we only have Safe Links. So, in our case the phishing site the customer was sent to was hosted on OneDrive, so it easily slipped past the Safe Links feature. 

So, what can we do to stop this?

1: Disable external federation in Microsoft Teams and allow only specific external domains. This is something that can be done within the Teams Admin Center. Where you can whitelist what kind of domains are allowed to contact users within your domain.

While you can argue that it should be open for all external domains as with email, in most cases, you have a limited number of organizations that you interact with on a daily basis on Teams anyway. The goal is not to lockdown all access, but only with domains that you partner with or interact with. Unknown organizations should not have access to send message directly to your end-users.

2: Monitor usage related to URLclicks. 

Microsoft recently introduced a new audit log table called URLClickEvents (Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365 – Microsoft Tech Community) which allows us to monitor for clicks to URL’s going through Microsoft Teams.

This of course applies only if you have Microsoft defender for office enabled, and using this Kusto Query (

UrlClickEvents | where Workload == @”Teams”
As seen in the screenshot below. The ActionType “ClickAllowed” means that the URL was marked as okay by the Safe-links check.

you can monitor for clicks to URLs going in through Microsoft Teams. Now unfortunately it does not give you any indication of who the sender is, and secondly, this table is not (during the time of writing this blogpost) not available in Microsoft Sentinel Connector which means that you need to create a custom hunting query rule within Defender to be able to monitor abnormal traffic patterns.


Leave a Reply

Scroll to Top