TI URL Or Domain Hit In Teams Messages

# *MS Teams Threat Intelligence Indicator Hit for Domain or URL* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1566 | Phishing | https://attack.mitre.org/techniques/T1556 | #### Description This rule detects when a domain or URL observed in Teams Messages matches a known threat intelligence indicator from Microsoft Defender Threat Intelligence. It specifically looks for hits against 'Domain' and 'URL' type indicators. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** #### References - KQL Cafe 2025.11.24 Session of Daniel Mozes https://kqlcafe.com/#2025 ## Defender XDR ```KQL // Extract IOC details from ThreatIntelIndicators export let IOC = ThreatIntelIndicators | where SourceSystem == "Microsoft Defender Threat Intelligence" | extend IOCType = case( ObservableKey has "ipv4" or ObservableKey has "network-traffic", "IP Address", ObservableKey has "domain", "Domain", ObservableKey has "url", "URL", ObservableKey has "file", "File Hash", ObservableKey has "email", "Email Address", "Other") | extend IOCValue = ObservableValue | extend Pattern = tostring(split(Pattern, "=")[1]) // Extract value from STIX pattern if needed | extend Description = tostring(parse_json(Data).description) | extend IndicatorTypes = tostring(parse_json(Data).indicator_types) | extend ValidFrom = todatetime(parse_json(Data).valid_from) | extend ValidUntil = todatetime(parse_json(Data).valid_until) | project TimeGenerated, IOCType, IOCValue, Pattern, Description, IndicatorTypes, ValidFrom, ValidUntil, Confidence | order by TimeGenerated desc; let IOCDomain = IOC | where IOCType == "Domain"; let IOCUrl = IOC | where IOCType == "URL"; let URLHits = MessageUrlInfo | join IOCUrl on $left.Url == $right.IOCValue; let DomainHits = MessageUrlInfo | join IOCDomain on $left.UrlDomain == $right.IOCValue; URLHits | union DomainHits | join kind=inner MessageEvents on TeamsMessageId ```

Explanation

This query is designed to detect potential security threats in Microsoft Teams messages by checking if any domains or URLs in the messages match known threat indicators from Microsoft Defender Threat Intelligence. Here's a simplified breakdown of what the query does:

Extract Threat Intelligence Indicators: It starts by pulling data from the ThreatIntelIndicators table, focusing on indicators sourced from Microsoft Defender Threat Intelligence. It categorizes these indicators into types such as IP Address, Domain, URL, File Hash, and Email Address.
Filter for Domains and URLs: The query specifically filters out indicators that are of type "Domain" and "URL" because it is interested in these types for the purpose of this rule.
Match Indicators with Teams Messages:
- It checks the MessageUrlInfo table, which contains information about URLs in Teams messages.
- It joins this information with the filtered threat indicators to find any matches where a domain or URL in a Teams message corresponds to a known threat indicator.
Combine Results: The query combines the results of URL matches and domain matches.
Final Join with Message Events: It further joins these results with the MessageEvents table to correlate the matched indicators with specific Teams messages, using the TeamsMessageId as the key.

In essence, this query helps identify potentially malicious domains or URLs in Teams messages by leveraging threat intelligence data, thereby aiding in the detection of phishing attempts or other security threats.

Details

Benjamin Zulliger

Released: November 25, 2025

Tables

ThreatIntelIndicatorsMessageUrlInfoMessageEvents

Keywords

TeamsMessagesDomainURLThreatIntelligenceIndicatorMicrosoftDefenderThreatIntelIndicatorsMessageUrlInfoMessageEvents

Operators

let|where==extendcase()hasortostring()split()[]//parse_json()projectorder bydescjoinon==$unionjoin kind=inner

KQL Search