Technical summary: This rule detects a one-on-one Microsoft Teams chat created by a user from a foreign (external) tenant where the sender’s or participants’ display name, member profile, or email local-part resembles IT help desk or Microsoft security staff. Adversaries abuse cross-tenant external access to impersonate support personnel and socially engineer victims into granting remote access or disclosing credentials. The detection uses Microsoft 365 Audit Logs (o365.audit) from the logs-o365.audit-* index and triggers on a ChatCreated event with event.provider set to MicrosoftTeams, event.outcome as success, and CommunicationType as OneOnOne. It further requires that there are no internal or guest-only participants and that foreign-tenant users are present (HasForeignTenantUsers = true). The rule then matches against impersonation signals in o365.audit.Members.DisplayName (e.g., “Help Desk”, “IT Help Desk”, “Microsoft Security”), as well as user.email and user.name patterns containing helpdesk/itsupport-style aliases. The query supports correlation with follow-on activity such as MessageSent and CallParticipantDetail events associated to the same ChatThreadId or CallId, enabling analysts to trace potential vishing, Quick Assist abuse, or remote-access tool delivery. The design maps to MITRE ATT&CK: TA0001 (Initial Access) with T1566.003 (Spearphishing via Service) as the primary technique, reflecting social engineering conducted through legitimate collaboration channels rather than traditional phishing. Investigation fields include timestamps, user identifiers, member listings, chat thread identifiers, and participant information to facilitate triage and cross-event correlation.