Adversaries may use malicious URLs embedded in Teams messages to deliver payloads, leveraging external threat intelligence to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise through covert communication channels.
KQL Query
// This query helps hunt for Teams messages with malicious URLs based on external IOC source
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
with (format="txt"))
| project url;
url
| join (MessageUrlInfo
| where Timestamp > ago(14d)
) on $left.url == $right.Url
|join MessageEvents on TeamsMessageId
//|join UrlClickEvents on Url
|project Timestamp, TeamsMessageId, Url, UrlDomain, SenderEmailAddress, SenderDisplayName, RecipientDetails,ThreatTypes, DetectionMethods, DeliveryAction,IsExternalThread, IsOwnedThread//, AccountUpn, ActionType, AppName, AppVersion, Workload
id: 4dcb872f-9b39-4b95-8f30-3664f9f70dc2
name: Hunt for malicious messages using External Threat Intelligence
description: |
This query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source
description-detailed: |
This query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageUrlInfo
- MessageEvents
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
// This query helps hunt for Teams messages with malicious URLs based on external IOC source
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
with (format="txt"))
| project url;
url
| join (MessageUrlInfo
| where Timestamp > ago(14d)
) on $left.url == $right.Url
|join MessageEvents on TeamsMessageId
//|join UrlClickEvents on Url
|project Timestamp, TeamsMessageId, Url, UrlDomain, SenderEmailAddress, SenderDisplayName, RecipientDetails,ThreatTypes, DetectionMethods, DeliveryAction,IsExternalThread, IsOwnedThread//, AccountUpn, ActionType, AppName, AppVersion, Workload
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL Shortening in Marketing Campaigns
Description: A marketing team uses a URL shortener like Bitly to track clicks on promotional links in Teams messages.
Filter/Exclusion: Exclude URLs that originate from known marketing shorteners (e.g., bit.ly, tinyurl.com) or use a custom domain registered by the company’s marketing department.
Example Filter: url_shortener in ('bit.ly', 'tinyurl.com', 'custom.marketing.domain')
Scenario: Internal Threat Intelligence Sharing
Description: The security team shares internal threat intelligence via Teams, including URLs from internal threat feeds that are flagged by external TI sources.
Filter/Exclusion: Exclude messages sent from internal security teams or users with the “Security” role.
Example Filter: sender in ('[email protected]', '[email protected]')
Scenario: Scheduled Job for Compliance Reporting
Description: A scheduled job runs a compliance report that includes links to internal documentation or external compliance resources.
Filter/Exclusion: Exclude URLs that match known compliance or documentation domains (e.g., internal-docs.company.com, compliance.gov).
Example Filter: url_domain in ('internal-docs.company.com', 'compliance.gov')
Scenario: User-Generated Content with Embedded Links
Description: Employees share articles or resources with embedded links in Teams, which may be flagged by external TI sources.
Filter/Exclusion: Exclude links that are part of user-generated content from trusted internal sources (e.g., internal knowledge base, company blog).
Example Filter: url_domain in ('internal-knowledge-base.company.com', 'company-blog.com')
Scenario: Automated System Notifications with URLs
Description: An automated system (e.g.,