Top malicious URLs clicked by users in Teams

Hunt Hypothesis

Users clicking on top malicious URLs in Teams may indicate phishing or credential compromise attempts, as adversaries often use compromised or deceptive links to exfiltrate data or install malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early.

KQL Query

//This query shows the top 20 URL's that have a detection associated with it and the most ammount of clicks registered from Microsoft Teams 
UrlClickEvents
| where ThreatTypes !="" and Workload =="Teams"
| summarize count() by Url, ThreatTypes, ActionType, Workload
| project Url, ThreatTypes, ActionType, Workload, ClickCount=count_
| top 20 by ClickCount

Analytic Rule Definition

id: 1676c486-4f27-4c88-b36f-6110a182d6de
name: Top malicious URLs clicked by users in Teams
description: |
  This query helps hunt for top malicious URLs clicked by users in Teams  
description-detailed: |
  This query helps hunt for top malicious URLs clicked by users in Teams using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This query shows the top 20 URL's that have a detection associated with it and the most ammount of clicks registered from Microsoft Teams 
  UrlClickEvents
  | where ThreatTypes !="" and Workload =="Teams"
  | summarize count() by Url, ThreatTypes, ActionType, Workload
  | project Url, ThreatTypes, ActionType, Workload, ClickCount=count_
  | top 20 by ClickCount
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top malicious URLs clicked by users in Teams.yaml)

False Positive Guidance

• Scenario: User clicks on a legitimate internal URL shared via Teams for a scheduled report
  Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., *.internal.company.com) using a regex or IP address filter in the detection logic.

• Scenario: Admin shares a phishing test link via Teams to simulate user awareness training
  Filter/Exclusion: Exclude URLs containing known phishing test domains (e.g., phishingtest.example.com) by adding them to a whitelist or using a custom list in the detection rule.

• Scenario: A user clicks on a link to a cloud storage service (e.g., OneDrive) to access a shared file
  Filter/Exclusion: Exclude URLs that include cloud storage service domains (e.g., onedrive.com, microsoft.com) using a domain-based filter or by checking the URL path for known file-sharing patterns.

• Scenario: A user clicks on a link to a third-party service (e.g., Jira or ServiceNow) for work purposes
  Filter/Exclusion: Exclude URLs that belong to known business tools (e.g., jira.example.com, servicenow.com) by adding them to a whitelist or using a domain-based exclusion list.

• Scenario: A user clicks on a link to a company’s internal portal for access to HR or IT services
  Filter/Exclusion: Exclude URLs that match internal portal domains (e.g., portal.company.com, hr.company.com) using a regex or IP address filter in the detection logic.