MDO Hunting - Teams Safe Links Click-Through
MDO 20 Teams Safe Links Click Through
Query
UrlClickEvents
| where Timestamp > ago(7d)
| where Workload == "Microsoft Teams" or Workload has "Teams"
| where ThreatTypes has_any ("Phish", "Malware") or IsClickedThrough != ""
| project Timestamp, AccountUpn, Url, ThreatTypes, DetectionMethods,
IPAddress, IsClickedThrough, Workload
| sort by Timestamp descExplanation
This query is designed to identify users who have clicked on potentially malicious links within Microsoft Teams over the past week. It focuses on events recorded by Microsoft Threat Protection, specifically looking at URL click events. The query filters for clicks that occurred in Microsoft Teams and checks if the links were associated with phishing or malware threats, or if the user clicked through a warning. The results include details such as the timestamp, user account, URL, threat types, detection methods, IP address, whether the warning was clicked through, and the workload (Teams). This helps in identifying potential security breaches, as users who click through warnings are considered at risk, and their subsequent activities should be reviewed for signs of compromise.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques