Top 10 Users clicking on malicious URLs in Teams

Hunt Hypothesis

Top 10 Users clicking on malicious URLs in Teams indicates potential phishing or malware delivery attempts by adversaries leveraging trusted communication channels. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage compromise attempts in their Azure Sentinel environment.

KQL Query

//Top 10 Users clicking on malicious URLs in Teams
UrlClickEvents 
| where Workload =="Teams" and ThreatTypes in ("Phish","Malware") 
| summarize Blocked = countif(ActionType =="ClickBlocked"), Allowed = countif(ActionType =="ClickAllowed"), PendingVerdict = countif(ActionType =="UrlScanInProgress"), Error = countif(ActionType =="UrlErrorPage"), ClickedThrough = countif(IsClickedThrough)by AccountUpn
| top 10 by Blocked desc

Analytic Rule Definition

id: 2186afac-1cde-441d-9825-0dbfd5f59d05
name: Top 10 Users clicking on malicious URLs in Teams
description: |
  This query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
description-detailed: |
  This query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Top 10 Users clicking on malicious URLs in Teams
  UrlClickEvents 
  | where Workload =="Teams" and ThreatTypes in ("Phish","Malware") 
  | summarize Blocked = countif(ActionType =="ClickBlocked"), Allowed = countif(ActionType =="ClickAllowed"), PendingVerdict = countif(ActionType =="UrlScanInProgress"), Error = countif(ActionType =="UrlErrorPage"), ClickedThrough = countif(IsClickedThrough)by AccountUpn
  | top 10 by Blocked desc
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top 10 Users clicking on malicious URLs in Teams.yaml)

False Positive Guidance

• Scenario: A system administrator clicks on a legitimate URL in Teams while testing a phishing simulation tool.
  Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., phishsim.example.com or testphishing.example.com).

• Scenario: A scheduled job or automation script (e.g., Power Automate or Azure DevOps) accesses a public URL for API updates or configuration.
  Filter/Exclusion: Exclude URLs that match known automation service endpoints (e.g., api.example.com or dev.azure.com).

• Scenario: A user clicks on a malicious URL in Teams that is part of a legitimate security training exercise (e.g., from a security awareness platform like KnowBe4).
  Filter/Exclusion: Exclude URLs that match known security training domains (e.g., training.example.com or knowbe4.com).

• Scenario: A user clicks on a URL in Teams that is part of a legitimate internal tool or service (e.g., a company’s internal documentation portal).
  Filter/Exclusion: Exclude URLs that match internal company domains (e.g., internal-docs.example.com or intranet.example.com).

• Scenario: A user clicks on a URL in Teams that is part of a legitimate external service (e.g., Microsoft Support or a third-party SaaS tool).
  Filter/Exclusion: Exclude URLs that match known legitimate external domains (e.g., support.microsoft.com or service.example.com).