Elastic Security Detection Rules

M365 Teams Rogue Help Desk Chat Created

Last updated 2 days ago on 2026-06-22
Created 2 days ago on 2026-06-22

About

Identifies a one-on-one Microsoft Teams chat created by a user from a foreign tenant whose display name, member profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant Teams external access to impersonate support personnel and socially engineer victims into granting remote access or disclosing credentials.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

False Positive Examples
Legitimate external partners or managed service providers with help desk-style display names may trigger this rule. Validate the sender tenant, domain, and business relationship before closing as benign.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-o365.audit-*
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:o365.audit and event.action:"ChatCreated" and event.provider:"MicrosoftTeams" and event.outcome:"success" and
  o365.audit.ParticipantInfo.HasOtherGuestUsers:false and o365.audit.ParticipantInfo.HasGuestUsers:false and
  o365.audit.ParticipantInfo.HasForeignTenantUsers:true and o365.audit.CommunicationType:"OneOnOne" and
  (
    o365.audit.Members:(
      "Help Desk" or "Help Desk Team" or "Help Desk IT" or "IT Help Desk" or
      "Microsoft Security" or "Microsoft  Security" or "Microsoft Support"
    ) or
    user.email:(
      *helpdesk* or *help.desk* or *help-desk* or *help_desk* or
      *ithelp* or *it.help* or *itsupport* or *it.support* or *it-support*
    ) or
    user.name:(*helpdesk* or *help-desk* or *ithelp* or *itsupport*)
  )

Install detection rules in Elastic Security

Detect M365 Teams Rogue Help Desk Chat Created in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).