Teams URL clicks through actions on Phish or Malware URLs summarized by URLs

Hunt Hypothesis

Adversaries may be using phishing or malware URLs embedded in Teams messages to initiate initial compromise by诱骗 users to click malicious links. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing campaigns and malware distribution attempts early.

KQL Query

//Teams URL clicks through actions on Phish or Malware URLs summarized by URLs
UrlClickEvents 
| where IsClickedThrough !="0" and Workload =="Teams"
| where ThreatTypes in ("Phish","Malware") 
| summarize by Url,ThreatTypes, IsClickedThrough, ActionType

Analytic Rule Definition

id: 8ccb7460-16a4-4cff-9ce7-0eaea2c3d480
name: Teams URL clicks through actions on Phish or Malware URLs summarized by URLs
description: |
  This query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
description-detailed: |
  This query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Teams URL clicks through actions on Phish or Malware URLs summarized by URLs
  UrlClickEvents 
  | where IsClickedThrough !="0" and Workload =="Teams"
  | where ThreatTypes in ("Phish","Malware") 
  | summarize by Url,ThreatTypes, IsClickedThrough, ActionType
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks through actions on Phish or Malware URLs summarized by URLs.yaml)

False Positive Guidance

Scenario: Scheduled Job Testing
Description: A system administrator is testing a scheduled job that generates temporary URLs for internal use (e.g., for automated report distribution or API testing).
Filter/Exclusion: Exclude URLs containing test, dev, or sandbox in the URL path or query parameters.
Example: url LIKE '%test%' OR url LIKE '%dev%'
Scenario: Admin Task with Internal Redirects
Description: An admin task (e.g., using Microsoft Graph API or PowerShell scripts) is configured to redirect users to internal documentation or support pages via Teams.
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., internal.company.com, support.company.com).
Example: url LIKE '%internal.company.com%' OR url LIKE '%support.company.com%'
Scenario: User Clicking on Internal Training Links
Description: A user clicks on a legitimate internal training link shared via Teams, which is part of a company-wide security awareness program.
Filter/Exclusion: Exclude URLs that match known internal training domains (e.g., training.company.com, learn.company.com).
Example: url LIKE '%training.company.com%' OR url LIKE '%learn.company.com%'
Scenario: Automated Reporting Tool Integration
Description: A reporting tool (e.g., Power BI, Azure DevOps, or Power Automate) is configured to send reports via Teams, which includes links to internal dashboards or data sources.
Filter/Exclusion: Exclude URLs that match internal reporting tool domains (e.g., reporting.company.com, powerbi.company.com).
Example: url LIKE '%reporting.company.com%' OR url LIKE '%powerbi.company.com%'
Scenario: User Clicking on Internal Support Portal
*Description