Adversaries may use malicious URLs embedded in Teams messages to deliver payloads or exfiltrate data, leveraging the trusted communication channel of Microsoft Teams. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
KQL Query
//This query helps reviewing malicious Teams message detections by URL detection methods
MessageEvents
| where isnotempty(DetectionMethods)
| extend MDO_detection = parse_json(DetectionMethods)
| summarize TotalMessageCount = count(),
Phish_detection = countif(isnotempty(MDO_detection.Phish)),
Malware_detection = countif(isnotempty(MDO_detection.Malware)),
URL_malicious_reputation = countif(MDO_detection.Phish == @'["URL malicious reputation"]' or MDO_detection.Malware == @'["URL malicious reputation"]'),
URL_detonation_reputation = countif(MDO_detection.Phish == @'["URL detonation reputation"]' or MDO_detection.Malware == @'["URL detonation reputation"]')
by bin(Timestamp, 1d)
| project Timestamp, Phish_detection, Malware_detection,URL_malicious_reputation,URL_detonation_reputation
| render timechart
id: 97c8d961-add7-4b58-80ef-75cc40d9d919
name: Malicious Teams messages by URL detection methods
description: |
This query helps reviewing malicious Teams message detections by URL detection methods
description-detailed: |
This query helps reviewing malicious Teams message detections by URL detection methods
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessageEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
//This query helps reviewing malicious Teams message detections by URL detection methods
MessageEvents
| where isnotempty(DetectionMethods)
| extend MDO_detection = parse_json(DetectionMethods)
| summarize TotalMessageCount = count(),
Phish_detection = countif(isnotempty(MDO_detection.Phish)),
Malware_detection = countif(isnotempty(MDO_detection.Malware)),
URL_malicious_reputation = countif(MDO_detection.Phish == @'["URL malicious reputation"]' or MDO_detection.Malware == @'["URL malicious reputation"]'),
URL_detonation_reputation = countif(MDO_detection.Phish == @'["URL detonation reputation"]' or MDO_detection.Malware == @'["URL detonation reputation"]')
by bin(Timestamp, 1d)
| project Timestamp, Phish_detection, Malware_detection,URL_malicious_reputation,URL_detonation_reputation
| render timechart
version: 1.0.0
Scenario: Scheduled Backup Job Sends Internal Link
Description: A scheduled backup job sends a Teams message with a URL to an internal file share (e.g., \\fileserver\backup\2024-10-05).
Filter/Exclusion: Exclude messages sent by the backup service account or from the backup scheduled job using the source_user or job_name field.
Scenario: Admin Sends Link to Internal Documentation
Description: An admin sends a Teams message with a URL to an internal documentation site (e.g., https://internal-docs.example.com/faq) to inform users.
Filter/Exclusion: Exclude messages sent by admin users (e.g., user_principal_name like admin@domain.com) or from the admin-communication group.
Scenario: Automated CI/CD Pipeline Notifies Team of Deployment
Description: A CI/CD pipeline (e.g., Azure DevOps, Jenkins) sends a Teams message with a URL to a deployment artifact (e.g., https://artifacts.example.com/deployments/12345).
Filter/Exclusion: Exclude messages from the CI/CD service account or those containing URLs matching a known artifact URL pattern using a regex filter.
Scenario: User Shares a Link to a Legitimate Internal Tool
Description: A user shares a Teams message with a URL to a legitimate internal tool (e.g., https://internal-tool.example.com/login) for onboarding.
Filter/Exclusion: Exclude messages containing URLs that match a predefined list of internal tools using a url field regex exclusion.
Scenario: System Alert Sends Link to Internal Support Portal
Description: A system alert (e.g., from Microsoft Endpoint Manager or Azure Monitor) sends a Teams message with a URL to