Detections
KQL hunting queries and detection rules for Microsoft Sentinel, Defender XDR, and Defender for Cloud — synced from GitHub.
6 rules
Synced from
github.com/pthoor/detections-ai-kql
External DMs with Links in Teams
Identify top external domains sending links in Teams direct messages over the last 7 days. Filters out common trusted Microsoft domains to reduce noise and highlights the most prolific external link sources for investigation.
Initial Access
T1566
T1566.002
MessageEvents
MessageUrlInfo
Defender for Office 365
Scheduled
// External DMs with Links in Teams
// Identify top external domains sending links in Teams over last 7 days
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
// Improved: added Timestamp filter on MessageUrlInfo for better join performance
// and filtered out common trusted domains to reduce noise
let lookback = 7d;
let trustedDomains = dynamic(["microsoft.com", "sharepoint.com", "office.com", "live.com", "windows.net", "microsoftonline.com"]);
MessageEvents
| where Timestamp > ago(lookback) and IsExternalThread == true
| join kind=inner (
MessageUrlInfo
| where Timestamp > ago(lookback)
) on TeamsMessageId
| where not(UrlDomain has_any (trustedDomains))
| summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain
| top 10 by Links desc
IT Helpdesk Imposters in External DMs
Surface social-engineering lures in Teams external direct messages that impersonate IT helpdesk or support staff. Detects display names and recipient details containing helpdesk, IT support, or work-from-home themed keywords commonly used in phishing attacks.
Initial Access
T1534
MessageEvents
Defender for Office 365
Scheduled
// IT Helpdesk Imposters in External DMs
// Surface social-engineering lures impersonating support over last 5 days
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
let lookback = 5d;
MessageEvents
| where Timestamp > ago(lookback)
| where IsExternalThread == true
// Improved: use "helpdesk"/"help desk" patterns and case-sensitive "IT" to reduce false positives
| where (RecipientDetails has "helpdesk" or RecipientDetails has "help desk")
or (RecipientDetails has_cs "IT" and RecipientDetails has "support")
or (SenderDisplayName has "helpdesk" or SenderDisplayName has "help desk")
or (SenderDisplayName has_cs "IT" and SenderDisplayName has "support")
// Separated: "working from home" is a different social-engineering lure category
or (RecipientDetails has "working" and RecipientDetails has "home")
or (SenderDisplayName has "working" and SenderDisplayName has "home")
| project Timestamp, SenderDisplayName, SenderEmailAddress,
RecipientDetails, IsOwnedThread, ThreadType, ReportId
Malicious Verdicts in Teams
Find Teams messages that have already received Spam, Phish, or Malware verdicts from Microsoft Defender for Office 365. Provides a fast triage queue of confirmed malicious content delivered via Teams.
Initial Access
T1566
MessageEvents
Defender for Office 365
Scheduled
// Malicious Verdicts in Teams
// Find messages already carrying Spam/Phish/Malware verdicts for fastest triage queue
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
let lookback = 1d;
MessageEvents
| where Timestamp > ago(lookback)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam"
| project Timestamp, SenderDisplayName, SenderEmailAddress,
RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId
| order by Timestamp desc
Rare External Domains with Clicks in Teams
Surfaces rare external domains seen in Teams messages and correlates them with user click activity from UrlClickEvents. Designed for incident response to quickly identify when users have interacted with uncommon or potentially malicious links delivered via external Teams conversations.
Initial Access
T1566
T1566.002
MessageEvents
MessageUrlInfo
UrlClickEvents
Defender for Office 365
Scheduled
// Rare External Domains with Clicks in Teams (Detection Rule)
// Surfaces rare external domains in Teams and associated user clicks for incident response
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
let lookback = 1d;
// Improved: threshold is now a variable for easier tuning
let rareDomainThreshold = 3;
// External Teams messages
let externalMsgs =
MessageEvents
| where Timestamp > ago(lookback) and IsExternalThread == true
| project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId;
// URLs found in Teams messages
let urlsInMsgs =
MessageUrlInfo
| where Timestamp > ago(lookback)
| project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId;
// Clicks coming from Teams
let clicks =
UrlClickEvents
| where Timestamp > ago(lookback) and Workload == "Teams"
| project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId;
// Define "rare" domains in the period
let rareDomains =
urlsInMsgs
| summarize msgCount = dcount(TeamsMessageId) by UrlDomain
| where msgCount < rareDomainThreshold;
rareDomains
| join kind=inner (urlsInMsgs) on UrlDomain
| join kind=leftouter (externalMsgs) on TeamsMessageId
| join kind=leftouter (clicks) on Url
| project
Timestamp = coalesce(ClickTime, MUI_Time, MsgTime),
UrlDomain,
Url,
SenderEmailAddress,
Clicker,
ClickTime,
ClickAction,
TeamsMessageId,
ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId)
// Added: deduplicate rows from multiple clicks on the same URL
| distinct *
Safe Links Click Events Telemetry for Teams
Confirm Safe Links outcomes and adoption in Teams by summarizing click events from the last 24 hours. Groups clicks by action type to show how many clicks were allowed, blocked, or pending verdict, and how many unique users were involved.
Initial Access
T1566
UrlClickEvents
Defender for Office 365
Scheduled
// Safe Links Click Events Telemetry for Teams
// Confirm Safe Links outcomes and adoption in Teams
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
let lookback = 24h;
UrlClickEvents
| where Timestamp > ago(lookback) and Workload == "Teams"
| summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType
| order by Clicks desc
Who Clicked Links in Teams
Exposure view showing Teams workload click activity over the last 7 days. Extracts the URL domain for easier pivoting and includes NetworkMessageId for correlation during investigations.
Initial Access
T1204
UrlClickEvents
Defender for Office 365
Scheduled
// Who Clicked Links in Teams
// Exposure view showing Teams workload click activity over last 7 days
// Source: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safeguarding-microsoft-teams-with-microsoft-defender-for-office-365/4464086
let lookback = 7d;
UrlClickEvents
| where Timestamp > ago(lookback) and Workload == "Teams"
// Added: UrlDomain and NetworkMessageId for easier pivoting during investigations
| extend UrlDomain = tostring(parse_url(Url).Host)
| project Timestamp, AccountUpn, Url, UrlDomain, ActionType, NetworkMessageId
| order by Timestamp desc
No detections match the current filter.