Adversaries may use malicious URLs from OpenPhish in Teams messages to deliver phishing payloads, leveraging the platform’s trusted communication channels. SOC teams should proactively hunt for this behavior to identify and mitigate potential spear-phishing attacks before they lead to credential compromise or data exfiltration.
KQL Query
//This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish.
let PhishingURLs = externaldata(url: string)
[
"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt"
]
with (format="txt"); // CSV and JSON formats are also valid formats if using the premium feeds
MessageUrlInfo
| where Url in (PhishingURLs)
| join MessageEvents on TeamsMessageId
//| where IsOwnedThread==0 and IsExternalThread==1
id: 0d0a865b-7ed4-4e32-8b57-24cbf6b301b9
name: Teams Message with URL listed on OpenPhish
description: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
description-detailed: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish.
let PhishingURLs = externaldata(url: string)
[
"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt"
]
with (format="txt"); // CSV and JSON formats are also valid formats if using the premium feeds
MessageUrlInfo
| where Url in (PhishingURLs)
| join MessageEvents on TeamsMessageId
//| where IsOwnedThread==0 and IsExternalThread==1
version: 1.0.0Scenario: Scheduled Job Sending Test Messages with OpenPhish URLs
Description: A scheduled job or automated testing tool sends messages to a test group with URLs from OpenPhish as part of a security validation process.
Filter/Exclusion: Exclude messages where the sender is a known test or automation account (e.g., sender_id = "[email protected]" or sender_group = "test-group").
Scenario: Internal Security Team Using OpenPhish URLs for Phishing Simulations
Description: The internal security team uses URLs from OpenPhish as part of a phishing simulation to train employees.
Filter/Exclusion: Exclude messages where the sender is a security team email address (e.g., sender_email = "[email protected]" or sender_role = "security-training").
Scenario: Integration with External Threat Intelligence Tools
Description: A third-party threat intelligence tool (e.g., CrowdStrike, SentinelOne) automatically sends alerts to Microsoft Teams with URLs from OpenPhish as part of its integration.
Filter/Exclusion: Exclude messages where the sender is a known threat intelligence integration account (e.g., sender_id = "[email protected]").
Scenario: Admin Task for URL Monitoring in Teams
Description: An admin manually sends a message to a monitoring group with a URL from OpenPhish to check if the system correctly identifies it.
Filter/Exclusion: Exclude messages where the sender is an admin account (e.g., sender_email = "[email protected]" or sender_role = "admin").
Scenario: Legacy System Sending Legacy URLs to Teams
Description: An outdated system or legacy application sends messages to Teams with URLs from OpenPhish as part of its legacy communication process.
*Filter/Exclusion