I've encountered a phishing message in Teams that appears to come from someone in the existing chat. The user claims they didn't send it. I'm trying to figure out where to start in identifying the cause. I checked the user's sign-in logs and didn't see any unusual sign-in locations. Could the problem be malware on their device?
2 Answers
What exactly did the message say? Also, do you have strict controls over what apps users can access? It's possible that the user granted unnecessary permissions to some AI meeting tool that has too much control over Teams and Exchange. Additionally, consider how well users secure their own workstations. In my office, if someone leaves their workstation unlocked, we change their background to something ridiculous as a reminder! If you're able to query Teams logs with PowerShell, you should see who sent the message. I’ve seen this happen when users share devices during meetings or give access to sketchy applications.
You might want to check where the specific message originated from, like the client or IP address. It’s probably possible to query that info. Even if you don’t use Teams anymore, here’s a good approach: Rotate their password, revoke all sign-in sessions, and consider wiping their device. Those steps will help secure the account.

Is there a way to check what apps a user has granted permissions to?