Adversaries may be attempting to exfiltrate data or execute malicious payloads by embedding malicious URLs in Teams messages, which are being blocked by the security system. SOC teams should proactively hunt for this behavior to identify potential phishing or malware delivery attempts within their Azure Sentinel environment.
KQL Query
//This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages summarizing the data by various Teams app names.
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where ActionType == "ClickBlocked" and Workload =="Teams"
| make-series TeamsBlockedClicks = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d by AppName
| render timechart
id: 6d740b56-08b9-441c-ba12-32621225408d
name: Teams blocked URL clicks daily trend
description: |
This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages.
description-detailed: |
This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages summarizing the data by various Teams app names.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages summarizing the data by various Teams app names.
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where ActionType == "ClickBlocked" and Workload =="Teams"
| make-series TeamsBlockedClicks = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d by AppName
| render timechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Testing Blocked URLs
Description: A system administrator runs a scheduled job to test how the security gateway handles known blocked URLs, simulating user clicks for validation purposes.
Filter/Exclusion: Exclude events where the source is a known test system or job name, e.g., source: "SecurityTestScheduler" or job_name: "URLTestingJob".
Scenario: User Clicking on Internal Training Links
Description: Users click on internal training links shared via Teams messages, which are mistakenly flagged as blocked URLs due to a misconfigured URL filtering policy.
Filter/Exclusion: Exclude URLs that match internal training domains, e.g., url contains "training.example.com" or url contains "learn.example.com".
Scenario: Admin Performing Compliance Check via Teams
Description: An admin clicks on a URL in a Teams message to access a compliance report or audit log, which is flagged as a blocked URL due to a misconfigured policy.
Filter/Exclusion: Exclude events where the user is an admin or has a specific role, e.g., user_role: "admin" or user_id: "admin_user_123".
Scenario: Automated Compliance Tool Integration
Description: An automated compliance tool or SIEM integration sends a test message with a URL to validate integration with Teams, which is then blocked by the security gateway.
Filter/Exclusion: Exclude events where the message is sent by an integration or service account, e.g., sender: "ComplianceToolIntegration" or integration_id: "compliance_tool_001".
Scenario: User Clicking on Internal Shared Links
Description: Users click on internal shared links (e.g., shared drives, file storage) within Teams, which are incorrectly flagged as blocked URLs due to a