sigma-rules/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml

[metadata]
creation_date = "2020/11/30"
integration = ["o365"]
maturity = "production"
updated_date = "2025/12/10"

[rule]
author = ["Elastic"]
description = """
Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
communicate with other users that are outside their organization. An adversary may enable external access or add an
allowed domain to exfiltrate data or maintain persistence in an environment.
"""
false_positives = [
    """
    Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
    expected. Exceptions can be added to this rule to filter expected behavior.
    """,
]
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Teams External Access Enabled"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating M365 Teams External Access Enabled

Microsoft Teams' external access feature allows users to communicate with individuals outside their organization, facilitating collaboration. However, adversaries can exploit this by enabling external access or adding trusted domains to exfiltrate data or maintain persistence. The detection rule monitors audit logs for changes in federation settings, specifically when external access is successfully enabled, indicating potential misuse.

### Possible investigation steps

- Review the audit logs for the specific event.action "Set-CsTenantFederationConfiguration" to identify when and by whom the external access was enabled.
- Examine the o365.audit.Parameters.AllowFederatedUsers field to confirm that it is set to True, indicating that external access was indeed enabled.
- Investigate the user account associated with the event to determine if the action was authorized and if the account has a history of suspicious activity.
- Check the event.provider field to see if the change was made through SkypeForBusiness or MicrosoftTeams, which may provide additional context on the method used.
- Assess the event.outcome field to ensure the action was successful and not a failed attempt, which could indicate a potential security threat.
- Look into any recent changes in the list of allowed domains to identify if any unauthorized or suspicious domains have been added.

### False positive analysis

- Routine administrative changes to federation settings can trigger alerts. Regularly review and document these changes to differentiate between legitimate and suspicious activities.
- Organizations with frequent collaboration with external partners may see increased alerts. Consider creating exceptions for known trusted domains to reduce noise.
- Scheduled updates or policy changes by IT teams might enable external access temporarily. Coordinate with IT to log these activities and exclude them from triggering alerts.
- Automated scripts or tools used for configuration management can inadvertently enable external access. Ensure these tools are properly documented and monitored to prevent false positives.
- Changes made during mergers or acquisitions can appear suspicious. Maintain a record of such events and adjust monitoring rules accordingly to account for expected changes.

### Response and remediation

- Immediately disable external access in Microsoft Teams to prevent further unauthorized communication with external domains.
- Review and remove any unauthorized or suspicious domains added to the allowed list in the Teams federation settings.
- Conduct a thorough audit of recent changes in the Teams configuration to identify any other unauthorized modifications or suspicious activities.
- Reset credentials and enforce multi-factor authentication for accounts involved in the configuration change to prevent further unauthorized access.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
- Escalate the incident to the incident response team if there is evidence of data exfiltration or if the scope of the breach is unclear.
- Implement enhanced monitoring and alerting for changes in Teams federation settings to detect similar threats in the future.

## Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
risk_score = 47
rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"