Teams messages with suspicious URL domains

Hunt Hypothesis

This query helps hunt for Teams messages with suspicious URL domains.

KQL Query

//This Query uses MessageUrlInfo to find external Teams messages with suspicious low reputation URL doamins (e.g .xyz etc)
MessageUrlInfo
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, Url)
| extend TLD = tostring(split(Domain, ".")[-1])
| where TLD has_any ("dev","app","zip","solutions","io","top","xyz")
| project Timestamp,Url,UrlDomain,TLD,TeamsMessageId, ReportId

Analytic Rule Definition

id: 3dc84945-5805-4807-80ea-b849d1198e7f
name: Teams messages with suspicious URL domains
description: |
  This query helps hunt for Teams messages with suspicious URL domains. 
description-detailed: |
  This query helps hunt for Teams messages with suspicious URL domains using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageUrlInfo
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This Query uses MessageUrlInfo to find external Teams messages with suspicious low reputation URL doamins (e.g .xyz etc)
  MessageUrlInfo
  | extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, Url)
  | extend TLD = tostring(split(Domain, ".")[-1])
  | where TLD has_any ("dev","app","zip","solutions","io","top","xyz")
  | project Timestamp,Url,UrlDomain,TLD,TeamsMessageId, ReportId
version: 1.0.0

False Positive Guidance

• Scenario: Development Environment Testing
  Description: Developers may share URLs with .dev domains for

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams messages with suspicious URL domains.yaml)