thoor.tech — Detection RulesKQL hunting queries and detection rules for Microsoft Sentinel, Defender XDR, and Defender for Cloudhttps://thoor.tech/detections/2026-03-31T16:03:09+02:00Pierre ThoorExternal DMs with Links in Teamshttps://thoor.tech/detections/#det-external-dms-with-links-teams2026-03-31T16:03:09+02:00Identify top external domains sending links in Teams direct messages over the last 7 days. Filters out common trusted Microsoft domains to reduce noise and highlights the most prolific external link sources for investigation.IT Helpdesk Imposters in External DMshttps://thoor.tech/detections/#det-helpdesk-imposters-external-dms2026-03-31T16:03:09+02:00Surface social-engineering lures in Teams external direct messages that impersonate IT helpdesk or support staff. Detects display names and recipient details containing helpdesk, IT support, or work-from-home themed keywords commonly used in phishing attacks.Malicious Verdicts in Teamshttps://thoor.tech/detections/#det-malicious-verdicts-teams2026-03-31T16:03:09+02:00Find Teams messages that have already received Spam, Phish, or Malware verdicts from Microsoft Defender for Office 365. Provides a fast triage queue of confirmed malicious content delivered via Teams.Rare External Domains with Clicks in Teamshttps://thoor.tech/detections/#det-rare-external-domains-with-clicks-teams2026-03-31T16:03:09+02:00Surfaces rare external domains seen in Teams messages and correlates them with user click activity from UrlClickEvents. Designed for incident response to quickly identify when users have interacted with uncommon or potentially malicious links delivered via external Teams conversations.Safe Links Click Events Telemetry for Teamshttps://thoor.tech/detections/#det-safe-links-click-events-teams2026-03-31T16:03:09+02:00Confirm Safe Links outcomes and adoption in Teams by summarizing click events from the last 24 hours. Groups clicks by action type to show how many clicks were allowed, blocked, or pending verdict, and how many unique users were involved.Who Clicked Links in Teamshttps://thoor.tech/detections/#det-who-clicked-links-teams2026-03-31T16:03:09+02:00Exposure view showing Teams workload click activity over the last 7 days. Extracts the URL domain for easier pivoting and includes NetworkMessageId for correlation during investigations.