Potentially malicious URL click in Teams

Hunt Hypothesis

Users clicking on suspicious URLs within Microsoft Teams may indicate a phishing attempt or credential compromise, as adversaries often use Teams to deliver malicious payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data theft tactics early.

KQL Query

//This query provides insights on a potentially malicious URL click in Teams
MessagePostDeliveryEvents
| join MessageUrlInfo on TeamsMessageId
| join UrlClickEvents on Url
| where Workload == "Teams" and ActionType1=="ClickAllowed"

Analytic Rule Definition

id: be6ae743-71b5-4cbf-b5f0-e7c99c8bd197
name: Potentially malicious URL click in Teams
description: |
  This query provides insights on a potentially malicious URL click in Teams
description-detailed: |
  This query provides insights on a potentially malicious URL click in Teams where user was allowed to click on a URL in a message which was ZAP-d by Microsoft Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessagePostDeliveryEvents
  - MessageUrlInfo
  - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This query provides insights on a potentially malicious URL click in Teams
  MessagePostDeliveryEvents
  | join MessageUrlInfo on TeamsMessageId
  | join UrlClickEvents on Url
  | where Workload == "Teams" and ActionType1=="ClickAllowed"
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Potentially malicious URL click in Teams.yaml)

False Positive Guidance

Scenario: User clicks on a legitimate internal URL shared during a scheduled maintenance announcement
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., *.internal.corp, *.intranet) or use a regex to match known internal URL structures.
Scenario: Admin clicks on a URL in a Teams message to test a phishing simulation tool
Filter/Exclusion: Exclude URLs associated with known phishing simulation platforms like PhishSim or SpearPhish, using their known domain names or IP ranges.
Scenario: A system administrator clicks on a URL in a Teams message to run a scheduled backup job
Filter/Exclusion: Exclude URLs that match the domain of the backup tool (e.g., backup-tool.example.com) or use a filter based on the user’s role (e.g., user.role = "admin").
Scenario: A user clicks on a URL in a Teams message to access a company-wide knowledge base tool
Filter/Exclusion: Exclude URLs that match the domain of the knowledge base tool (e.g., kb.example.com) or use a filter based on the URL path (e.g., /kb/*).
Scenario: A user clicks on a URL in a Teams message to access a third-party SaaS application used for project management
Filter/Exclusion: Exclude URLs that match the domain of the SaaS application (e.g., *.jira.com, *.asana.com) or use a filter based on the application’s name or category.