Teams URL clicks actions summarized by URLs clicked on

Hunt Hypothesis

Adversaries may use malicious URLs embedded in Teams messages to execute T1566 techniques by tricking users into clicking on phishing links. SOC teams should proactively hunt for this behavior to identify potential phishing campaigns and prevent lateral movement or data exfiltration in their Azure Sentinel environment.

KQL Query

//Teams URL clicks actions summarized by URLs clicked on
UrlClickEvents
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| where Workload == "Teams"
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url

Analytic Rule Definition

id: f2031075-0834-4c87-81fe-1e369ffbc277
name: Teams URL clicks actions summarized by URLs clicked on
description: |
  This query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
description-detailed: |
  This query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Teams URL clicks actions summarized by URLs clicked on
  UrlClickEvents
  | extend UrlBlocked = ActionType has_any("ClickBlocked")
  | extend UrlAllowed = ActionType has_any('ClickAllowed')
  | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
  | extend ErrorPage = ActionType has_any('UrlErrorPage')
  | where Workload == "Teams"
  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks actions summarized by URLs clicked on.yaml)

False Positive Guidance

Scenario: A user clicks on a legitimate internal Teams link to access a shared document in SharePoint.
Filter/Exclusion: Exclude URLs that match internal SharePoint document libraries (e.g., https://*.sharepoint.com/sites/*).
Scenario: An admin clicks on a Teams link to access the Microsoft 365 Admin Center for routine user management tasks.
Filter/Exclusion: Exclude URLs containing /admin or /admincenter in the path (e.g., https://admin.microsoft.com/*).
Scenario: A scheduled job or automation tool (e.g., Power Automate) clicks on a Teams URL to trigger a workflow or data sync.
Filter/Exclusion: Exclude events where the user agent or device is not a human (e.g., user_agent:*bot* or device_type:server).
Scenario: A user clicks on a Teams link to join a meeting that was scheduled via a calendar invite (e.g., Outlook or Teams calendar integration).
Filter/Exclusion: Exclude URLs that contain meeting IDs or are associated with calendar events (e.g., https://teams.microsoft.com/l/meetup-join/*).
Scenario: A user clicks on a Teams link to access a Microsoft Teams app or service (e.g., Microsoft Forms, Planner, or Stream).
Filter/Exclusion: Exclude URLs that are part of the Microsoft Teams ecosystem (e.g., https://teams.microsoft.com/* or https://*.microsoft.com/*).