Multi-modal (or hybrid) attacks are increasingly used by threat actors to orchestrate multi-phase campaigns. In Part 1 of our blog series, we explored how attackers use email bombing as a distraction technique to overwhelm users and bypass security controls. Today, we’re expanding that conversation to showcase how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal.
From distraction to deception: The rise of multi-modal attacks
Multi-modal attacks are on the rise and evolving! One type of such hybrid attacks, begins with a mail bombing event—flooding a user’s inbox with legitimate subscription emails—followed by using Microsoft Teams to send messages to and call targeted users. The goal? To gain trust, distract defenders, and establish persistence.
For example, attackers may pose as IT support personnel responding to a mail bombing incident, urging users to grant remote access in turn victimizing them to download malware-laced files. Our telemetry shows more than 300 threat actors executing multi-modal attacks, some of which involve Microsoft Teams. These tactics are not isolated—they’re coordinated. Learn more here.
Defender continuously adapts to attacker behavior, enabling detection of emerging threats. Initially, attackers used simple terms like 'Help Desk' as their display name in Teams to deceive users, but evolved their tactics by incorporating other words like 'Cyber', using Unicode characters such as ‘☑️’, and inserting invisible characters to bypass detection. We also see these hybrid attacks resolving to compromises that may become evident through suspicious encoded PowerShell execution initiating a network connection. Now, Microsoft Defender for Office 365 can not only detect, but also correlate these signals across email, collaboration, and other modalities.
Better attacker tracking and new detection types
It’s now easier to see coordinated multi-modal (hybrid) attack patterns directly in the Defender portal via the Incident experience. This means security teams can easily:
- Identify linked incidents across email, Teams, and identity platforms.
- Track attacker movement from initial access to command-and-control (C2) stages.
- Disrupt attacks in real time using robust detection and automated response.
New alerts include:
- Mail bombing activity detected – Identifies high-volume email flood activity.
- Potentially malicious IT support Teams impersonation post mail bombing – Flags suspicious Teams threads following email-based flooding activity.
Related alert includes:
- Suspicious encoded PowerShell execution initiating a network connection – Detects obfuscated scripts reaching out to attacker infrastructure.
These alerts are designed to work together, painting a full picture of the attacker’s strategy and enabling defenders to act decisively.
Empowering SOC analysts with advanced hunting and IOCs
Detection is just the beginning. Security teams can pivot from incidents and alerts to deeper investigations using Advanced Hunting in Microsoft Defender and Microsoft Sentinel.
By leveraging Indicators of Compromise (IOCs)—such as suspicious email addresses, IPs, or keywords like “IT Support”—customers can:
- Craft custom queries to uncover hidden threats.
- Search across identities, endpoints, and Office 365 data.
- Investigate post-breach activities like MFA changes or emergency password resets.
IOCs can be collected via the incidents and alerts in the portal and in Advanced Hunting queries below:
- Use AlertInfo to collect general information and clickable links to more IOCs:
AlertInfo
| where Timestamp >= ago(2h)
| where Title == "Microsoft Teams chat initiated by a suspicious external user"
| top 100 by Timestamp
- Use AlertEvidence to collect potentially related IOCs from an alert:
AlertEvidence
| where Timestamp >= ago(2h)
| where Title == "Microsoft Teams chat initiated by a suspicious external user"
| top 100 by Timestamp
Below are some example queries that can be used as Custom detection rules in Advanced Hunting to detect mail bombing, malicious Teams content and password spray attempts respectively:
- Use EmailEvents to detect mail bombing:
EmailEvents
| where Timestamp > ago(1d)
| where DetectionMethods contains "Mail bombing"
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
- Use MessageEvents, a newly released table from our GA of Collaboration for Teams, to detect malicious Teams content:
MessageEvents
| where Timestamp > ago(1d)
| where ThreatTypes has "Phish"
or ThreatTypes has "Malware"
or ThreatTypes has "Spam"
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId
- Use MessageEvents to detect bi-directional communication with external Help Desk\Support representatives:
MessageEvents
| where Timestamp > ago(5d)
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
| where IsExternalThread == true
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
- Use IdentityLogonEvents to detect password spray attempts:
IdentityLogonEvents
| where Timestamp > ago(5d)
| where LogonError in ("UserAccountNotFound", "BadPassword")
| summarize FailedAttempts = count(), UniqueUsers = dcount(AccountUpn), UserList = make_set(AccountUpn, 10) by IPAddress, bin(Timestamp, 5m)
Additional detection and response strategies include:
- Monitor for news mentions of your organization and create detection rules for related message subjects.
- Track impersonation attempts of key personnel (e.g., CIO, IT support), especially if they are on social media or are publicized.
- Investigate unusual IP addresses or abnormal activity involving targeted individuals.
- Configure automatic remediation action in the custom detection rule to detect and remediate any potential threats without manual intervention
You can also block these external calls in Teams by blocking interaction with Trial tenants on Microsoft teams by using the Teams federation controls.
These queries help Defenders pivot from one IOC to another, uncovering the full scope of hybrid campaigns. Microsoft Sentinel can also be used to search, store, and share IOCs. More information about this offering is available at Threat intelligence - Microsoft Sentinel | Microsoft Learn
Conclusion
Multi-modal attacks are complex, but with the right tools, defenders are equipped to detect, correlate, and respond across modalities. By combining built-in detections with hunting strategies, organizations can stay ahead of evolving threats and protect their users from distraction-based deception.
Note: The above alerts are available for customers with Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps licenses. These updates are gradually rolling out to all customers worldwide.
Learn:
- Manage incidents and alerts from Defender for Office 365 in Microsoft Defender XDR - Microsoft Defender for Office 365 | Microsoft Learn
- Security Operations Guide for Teams protection - Microsoft Defender for Office 365 | Microsoft Learn
- Detection technology details table
- What's on the Email entity page
- Filterable properties in the All email view in Threat Explorer
Microsoft