Microsoft Teams Security: 7 New Hunting Queries for URL Threat Detection

What Changed

Seven new hunting queries added to monitor Microsoft Teams security events, focused on URL threat detection and post-delivery protection.

Detection Surface Unlocked

The new hunting queries provide visibility into:

Malicious URL clicks within Teams messages (phishing/malware)
ZAP (Zero-hour Auto Purge) events on Teams messages
Admin/user submission verdicts for Teams content
Daily trends for blocked URL clicks
Post-delivery security actions on Teams messages

Query Logic

Primary data sources: UrlClickEvents, CloudAppEvents, MessagePostDeliveryEvents, MessageUrlInfo

URL click analysis filters by Workload == Teams and ThreatTypes in (Phish,Malware)
Submission triage queries parse RawEventData for SubmissionContentType == ChatMessage
ZAP event tracking monitors ActionType has ZAP in MessagePostDeliveryEvents
Cross-correlation queries join multiple tables to link URLs, messages, and click events

MITRE Mapping

T1566 - Phishing

Affected Files

Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/ (7 files)
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/ (7 files)

What Changed#

Detection Surface Unlocked#

Query Logic#

MITRE Mapping#

Affected Files#

What Changed

Detection Surface Unlocked

Query Logic

MITRE Mapping

Affected Files