Query Details

MDO Hunting - Teams Safe Links Click-Through

MDO 20 Teams Safe Links Click Through

Query

UrlClickEvents
| where Timestamp > ago(7d)
| where Workload == "Microsoft Teams" or Workload has "Teams"
| where ThreatTypes has_any ("Phish", "Malware") or IsClickedThrough != ""
| project Timestamp, AccountUpn, Url, ThreatTypes, DetectionMethods,
          IPAddress, IsClickedThrough, Workload
| sort by Timestamp desc

Explanation

This query is designed to identify users who have clicked on potentially malicious links within Microsoft Teams over the past week. It focuses on events recorded by Microsoft Threat Protection, specifically looking at URL click events. The query filters for clicks that occurred in Microsoft Teams and checks if the links were associated with phishing or malware threats, or if the user clicked through a warning. The results include details such as the timestamp, user account, URL, threat types, detection methods, IP address, whether the warning was clicked through, and the workload (Teams). This helps in identifying potential security breaches, as users who click through warnings are considered at risk, and their subsequent activities should be reviewed for signs of compromise.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

UrlClickEvents

Keywords

UrlClickEventsMicrosoftThreatProtectionMicrosoftTeamsPhishMalwareTimestampAccountUpnUrlThreatTypesDetectionMethodsIPAddressWorkload

Operators

agohashas_anyorprojectsort bywhere

Tactics

InitialAccessExecution

MITRE Techniques

Actions

GitHub