Adversaries may use ZAPed Teams messages with identical URLs in emails to exfiltrate data or deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or data exfiltration attempts leveraging Teams messaging channels.
KQL Query
//This query provides insights on Teams messages ZAPed with the same malicious URLs in Email messages
MessagePostDeliveryEvents
| join MessageUrlInfo on TeamsMessageId
| join EmailUrlInfo on Url
| join EmailEvents on NetworkMessageId
id: 5a34a9c3-041b-46bf-b035-bb17e7ff0be6
name: Teams message ZAPed with the same URL in Email
description: |
This query helps hunt for Teams messages that have been ZAPed with the same URL in Email.
description-detailed: |
This query helps hunt for Teams messages that have been ZAPed with the same URL in Email, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- MessagePostDeliveryEvents
- MessageUrlInfo
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query provides insights on Teams messages ZAPed with the same malicious URLs in Email messages
MessagePostDeliveryEvents
| join MessageUrlInfo on TeamsMessageId
| join EmailUrlInfo on Url
| join EmailEvents on NetworkMessageId
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports with Embedded URLs
Description: A scheduled job sends daily email reports to administrators, and these emails include links to internal dashboards or documentation.
Filter/Exclusion: Exclude emails sent by the Microsoft 365 Admin Center or Power Automate workflows that are known to generate scheduled reports. Use the sender_email field to filter out known admin email addresses.
Scenario: Internal Collaboration with Shared Links
Description: Team members share the same internal document link via Teams messages for collaboration purposes, such as during a project review.
Filter/Exclusion: Exclude messages where the URL is part of a shared document or folder in OneDrive or SharePoint. Use the url_domain field to filter out internal domains like company.sharepoint.com.
Scenario: Automated Testing with URL Parameters
Description: A CI/CD pipeline or test automation tool sends messages to a Teams channel with URLs that include dynamic parameters (e.g., ?test=123) for testing purposes.
Filter/Exclusion: Exclude messages sent by Azure DevOps or Jenkins webhooks. Use the message_sender field to identify and exclude known automation tools or service accounts.
Scenario: Email to Teams Integration with Duplicate Links
Description: An email-to-Teams integration sends the same URL multiple times in a single message, such as when forwarding an email with a link.
Filter/Exclusion: Exclude messages where the URL is part of an email-to-Teams integration. Use the message_source field to identify messages originating from Exchange Online or Outlook Web App.
Scenario: User-Generated Content with Common URLs
Description: Users frequently mention common internal URLs (e.g., intranet.company.com) in Teams