URL click on URLs in ZAP-d Teams messages

Hunt Hypothesis

Adversaries may be using ZAP-d Teams messages to deliver malicious URLs that, when clicked, could lead to command and control communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential theft attempts leveraging compromised Teams communication channels.

KQL Query

//URL click on URLs in ZAP-d Teams messages
MessagePostDeliveryEvents
| join MessageUrlInfo on TeamsMessageId
| join UrlClickEvents on Url
| where ActionType !=""

Analytic Rule Definition

id: 4741e46e-1bdd-453a-90a8-13302a352a73
name: URL click on URLs in ZAP-d Teams messages
description: |
  This query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
description-detailed: |
  This query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - UrlClickEvents
  - MessagePostDeliveryEvents
  - MessageUrlInfo
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //URL click on URLs in ZAP-d Teams messages
  MessagePostDeliveryEvents
  | join MessageUrlInfo on TeamsMessageId
  | join UrlClickEvents on Url
  | where ActionType !=""
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/URL click on URLs in ZAP-d Teams messages.yaml)

False Positive Guidance

• Scenario: Admin clicks on a legitimate URL in a Teams message for a scheduled job update
  Filter/Exclusion: Exclude URLs that match known admin tools or scheduled job URLs (e.g., https://teams.microsoft.com/* or https://admin.microsoft.com/*)

• Scenario: User clicks on a URL in a Teams message from a legitimate internal tool (e.g., Power BI report link)
  Filter/Exclusion: Exclude URLs containing specific internal tool domains (e.g., https://powerbi.microsoft.com/* or https://internal.tools.company.com/*)

• Scenario: User clicks on a URL in a Teams message as part of a security training exercise
  Filter/Exclusion: Exclude URLs that match known security training URLs (e.g., https://training.example.com/* or https://security-training.example.com/*)

• Scenario: User clicks on a URL in a Teams message to access a shared document in OneDrive
  Filter/Exclusion: Exclude URLs that contain OneDrive file access paths (e.g., https://onedrive.com/* or https://*.sharepoint.com/*)

• Scenario: User clicks on a URL in a Teams message to access a cloud-based application (e.g., Salesforce, ServiceNow)
  Filter/Exclusion: Exclude URLs that match known SaaS application domains (e.g., https://salesforce.com/*, https://servicenow.com/*, or https://*.service-now.com/*)