KQL Search

Query Details

Detect Malicious Teams Message

Query

# *Detect Malicious Teams Message*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1204.001 | User Execution: Malicious Link | https://attack.mitre.org/techniques/T1204/001/ |
| T1566.002 | Phishing: Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |

#### Description
This detection rule detects Microsoft Teams messages where MDO detected a threat in the message.

#### Risk
Malicious messages being send to users can be the beginning of an Initial Access.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com
- https://thecollective.eu

## Defender XDR
```KQL
// Malicious messages detection
MessageEvents
| where ThreatTypes != ""
| join kind=leftouter MessageUrlInfo on TeamsMessageId
```

Explanation

This query is designed to detect potentially malicious messages sent through Microsoft Teams. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to identify Teams messages flagged as threats by Microsoft Defender for Office (MDO).

  2. Techniques Involved: It relates to two specific MITRE ATT&CK techniques:

    • User Execution: Malicious Link (T1204.001): This involves users executing malicious links.
    • Phishing: Spearphishing Link (T1566.002): This involves targeted phishing attacks using malicious links.

  3. Risk: Receiving malicious messages can be a starting point for unauthorized access to a system.

  4. Query Logic:

    • It searches through MessageEvents to find messages that have been identified with any threat type (ThreatTypes is not empty).
    • It then performs a left outer join with MessageUrlInfo based on TeamsMessageId to gather additional information about the URLs in those messages.

  5. Outcome: The query helps in identifying and analyzing messages that might pose a security risk due to malicious content, allowing for further investigation and response.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: February 10, 2026

Tables

MessageEventsMessageUrlInfo

Keywords

MessageEventsMessageUrlInfoTeamsMessageIdThreatTypes

Operators

//|where!=joinkind=leftouteron

Actions