KQL Search

Query Details

HomeAI ToolsDevice Query

Detect External User Sending Suspicious Link To Multiple Users

Query

# *Detect external user sending suspicious link to multiple users*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1566.002 | Phishing: Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |

#### Description
An external sender suddenly sending the same link to multiple internal users, can indicate that external user being compromised and used for BEC Attacks. In these kind of attacks compromised accounts are used to send phishing links or attachments to users in business relationships.

#### Risk
When the external user is sending the same link to multiple internal users at a small time frame, the related link might be malicious.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com
- https://thecollective.eu

## Defender XDR
```KQL
// External user sending same link to multiple users via Teams
let threshold = 5;
MessageEvents
| where TimeGenerated > ago(1d)
// Focus on chat messsages
| where ThreadType == "chat"
// Only return external users sending messages
| join kind=leftanti (
    IdentityInfo
    | where TimeGenerated > ago(14d)
    | distinct AccountObjectId
) on $left.SenderObjectId == $right.AccountObjectId
// Only flag messages with Teams Links
| join kind=inner MessageUrlInfo on TeamsMessageId
// Exclude teams file thumbnails
| where Url !~ "http://dummy.jpg/"
// Make a set of the chats a user sends a specific URL to
| summarize ChatSet = make_set(ThreadId) by SenderEmailAddress, Url
// Count the amount of chats
| extend ChatCount = array_length(ChatSet)
| where ChatCount > threshold
```

Explanation

This query is designed to detect potentially suspicious behavior where an external user sends the same link to multiple internal users via Microsoft Teams. Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at messages sent within the last day (TimeGenerated > ago(1d)).

  2. Message Type: It focuses specifically on chat messages (ThreadType == "chat").

  3. External Senders: It filters for messages sent by external users. This is done by excluding users who have been identified in the internal identity information within the last 14 days.

  4. Link Detection: It identifies messages that contain URLs, specifically looking for links shared in Teams messages.

  5. Exclusion: It excludes links that are just thumbnails of files (e.g., URLs ending in "dummy.jpg").

  6. Grouping and Counting: For each external sender, it groups the messages by the URL sent and counts how many different chat threads received the same URL.

  7. Threshold: It flags cases where the same link is sent to more than five different chat threads (ChatCount > threshold).

The purpose of this query is to identify potential phishing attempts, where an external account might be compromised and used to send malicious links to multiple internal users in a short period.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: February 10, 2026

Tables

MessageEventsIdentityInfoMessageUrlInfo

Keywords

ExternalUserTeamsMessageUrlChatSenderEmailAddress

Operators

letwherejoindistinctonsummarizemake_setbyextendarray_length

Actions