MS Teams Threat Intelligence Indicator Hit for Domain or URL
TI URL Or Domain Hit In Teams Messages
Query
// Extract IOC details from ThreatIntelIndicators export
let IOC = ThreatIntelIndicators
| where SourceSystem == "Microsoft Defender Threat Intelligence"
| extend IOCType = case(
ObservableKey has "ipv4" or ObservableKey has "network-traffic", "IP Address",
ObservableKey has "domain", "Domain",
ObservableKey has "url", "URL",
ObservableKey has "file", "File Hash",
ObservableKey has "email", "Email Address",
"Other")
| extend IOCValue = ObservableValue
| extend Pattern = tostring(split(Pattern, "=")[1]) // Extract value from STIX pattern if needed
| extend Description = tostring(parse_json(Data).description)
| extend IndicatorTypes = tostring(parse_json(Data).indicator_types)
| extend ValidFrom = todatetime(parse_json(Data).valid_from)
| extend ValidUntil = todatetime(parse_json(Data).valid_until)
| project TimeGenerated, IOCType, IOCValue, Pattern, Description, IndicatorTypes, ValidFrom, ValidUntil, Confidence
| order by TimeGenerated desc;
let IOCDomain = IOC
| where IOCType == "Domain";
let IOCUrl = IOC
| where IOCType == "URL";
let URLHits = MessageUrlInfo
| join IOCUrl on $left.Url == $right.IOCValue;
let DomainHits = MessageUrlInfo
| join IOCDomain on $left.UrlDomain == $right.IOCValue;
URLHits
| union DomainHits
| join kind=inner MessageEvents on TeamsMessageIdAbout this query
MS Teams Threat Intelligence Indicator Hit for Domain or URL
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1566 | Phishing | https://attack.mitre.org/techniques/T1556 |
Description
This rule detects when a domain or URL observed in Teams Messages matches a known threat intelligence indicator from Microsoft Defender Threat Intelligence. It specifically looks for hits against 'Domain' and 'URL' type indicators.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
- KQL Cafe 2025.11.24 Session of Daniel Mozes https://kqlcafe.com/#2025
Defender XDR
Explanation
This query is designed to detect potential security threats in Microsoft Teams messages by checking if any domains or URLs in the messages match known threat indicators from Microsoft Defender Threat Intelligence. Here's a simplified breakdown of what the query does:
-
Extract Threat Intelligence Indicators: It starts by pulling data from the
ThreatIntelIndicatorstable, focusing on indicators sourced from Microsoft Defender Threat Intelligence. It categorizes these indicators into types such as IP Address, Domain, URL, File Hash, and Email Address. -
Filter for Domains and URLs: The query specifically filters out indicators that are of type "Domain" and "URL" because it is interested in these types for the purpose of this rule.
-
Match Indicators with Teams Messages:
- It checks the
MessageUrlInfotable, which contains information about URLs in Teams messages. - It joins this information with the filtered threat indicators to find any matches where a domain or URL in a Teams message corresponds to a known threat indicator.
- It checks the
-
Combine Results: The query combines the results of URL matches and domain matches.
-
Final Join with Message Events: It further joins these results with the
MessageEventstable to correlate the matched indicators with specific Teams messages, using theTeamsMessageIdas the key.
In essence, this query helps identify potentially malicious domains or URLs in Teams messages by leveraging threat intelligence data, thereby aiding in the detection of phishing attempts or other security threats.
Details

Benjamin Zulliger
Released: November 25, 2025
Tables
Keywords
Operators