Exposure Management - A potentially malicious URL click was detected
EEG Malicious Link
Query
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn)
| distinct AccountUPN;
AlertInfo
| where Title == "A potentially malicious URL click was detected"
| join AlertEvidence on AlertId
| join EmailEvents on NetworkMessageId
| where RecipientEmailAddress has_any (CriticalIdentities)About this query
Exposure Management - A potentially malicious URL click was detected
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1566.002 ] | Initial Access: https://attack.mitre.org/techniques/T1566/002/ | https://attack.mitre.org/techniques/T1566/002/ |
Description
Custom DefenderXDR detection rule for critical identities marked by exposure management clicking on malicious email link. This would triggered the isolation of the user account and devices impacted to minimize lateral movement.
References
Credits
- Author of the query is: Steven Lim share via LinkedIn post.
Microsoft Defender XDR
Explanation
This query detects when a critical identity clicks on a malicious URL in an email. It triggers isolation of the user account and devices to prevent further movement within the network.
Details

Alex Verboon
Released: March 26, 2024
Tables
ExposureGraphNodesAlertInfoAlertEvidenceEmailEvents
Keywords
ExposureGraphNodesCategoriesNodePropertiesCriticalIdentitiesAccountUPNAlertInfoTitleAlertIdAlertEvidenceEmailEventsRecipientEmailAddress
Operators
letwhereisnotnullandextenddistinctjoinonhas_any