Query Details

Exposure Management - A potentially malicious URL click was detected

EEG Malicious Link

Query

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn)
| distinct AccountUPN;
AlertInfo
| where Title == "A potentially malicious URL click was detected"
| join AlertEvidence on AlertId
| join EmailEvents on NetworkMessageId
| where RecipientEmailAddress has_any (CriticalIdentities)

About this query

Exposure Management - A potentially malicious URL click was detected

Query Information

MITRE ATT&CK Technique(s)

Description

Custom DefenderXDR detection rule for critical identities marked by exposure management clicking on malicious email link. This would triggered the isolation of the user account and devices impacted to minimize lateral movement.

References

Credits

  • Author of the query is: Steven Lim share via LinkedIn post.

Microsoft Defender XDR

Explanation

This query detects when a critical identity clicks on a malicious URL in an email. It triggers isolation of the user account and devices to prevent further movement within the network.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 26, 2024

Tables

ExposureGraphNodesAlertInfoAlertEvidenceEmailEvents

Keywords

ExposureGraphNodesCategoriesNodePropertiesCriticalIdentitiesAccountUPNAlertInfoTitleAlertIdAlertEvidenceEmailEventsRecipientEmailAddress

Operators

letwhereisnotnullandextenddistinctjoinonhas_any

MITRE Techniques

Actions

GitHub