As a growing amount of our communications are moving from traditional formats such as in-person meetings and email, to instant messaging and hybrid collaboration via Microsoft Teams, the risk of threat actors abusing Teams to delivery malicious content has also grown.
In our previous blog we discussed detecting some common threats in Teams using the Teams audit log such as anomalous users joining meetings or malicious administrative changes.
In this blog we will look at how to detect another threat actor angle in Microsoft Teams, the sharing of malicious links. Microsoft Teams provides protection against the sharing of malicious links using our Safe Links feature. However, as a defender it is still important to investigate blocked malicious events to determine their root cause and identify any broader compromise that may have led to the event.
Alongside this blog we have released a Jupyter Notebook, written using MSTICPy, our open-source cybersecurity toolkit to help you conduct your own investigations. The notebook can be found via the Microsoft Sentinel Notebooks Templates feature or via GitHub.