Query Details

MDO Hunting - Safe Links Click-Through to Blocked URL

MDO 05 Safe Links Click Through To Blocked URL

Query

UrlClickEvents
| where Timestamp > ago(7d)
| where ActionType == "ClickAllowed" or IsClickedThrough != ""
| where ThreatTypes has_any ("Phish", "Malware")
| project Timestamp, AccountUpn, Url, ThreatTypes, DetectionMethods,
          IPAddress, IsClickedThrough, Workload, NetworkMessageId
| sort by Timestamp desc

Explanation

This KQL query is designed to identify users who have clicked through a Safe Links warning page to access a potentially malicious URL, indicating a possible security compromise. Here's a simple breakdown:

  • Purpose: The query aims to detect users who ignored Safe Links warnings and proceeded to click on links identified as phishing or malware threats. These users are considered at risk of compromise.

  • Data Source: It uses data from the MicrosoftThreatProtection connector, specifically focusing on UrlClickEvents.

  • Time Frame: The query looks at events from the past 7 days.

  • Conditions: It filters for events where the action type is "ClickAllowed" or where there is evidence of a click-through (IsClickedThrough is not empty), and the threat type is either "Phish" or "Malware".

  • Output: The query projects specific details such as the timestamp, user account, URL, threat types, detection methods, IP address, whether the link was clicked through, workload, and network message ID.

  • Actionable Insights: The results help identify users who might have been exposed to threats despite protective measures. Security teams can further investigate these users' sign-in activities for signs of credential theft and consider actions like password resets or session revocations.

  • Tactics and Techniques: It aligns with tactics like Initial Access and Execution, and is relevant to the technique T1204 (User Execution).

This query is a part of a high-value security use case for monitoring and responding to potential threats that bypass initial defenses.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

UrlClickEvents

Keywords

UrlClickEventsTimestampActionTypeIsClickedThroughThreatTypesAccountUpnUrlDetectionMethodsIPAddressWorkloadNetworkMessageId

Operators

whereorhas_anyprojectsort by

Tactics

InitialAccessExecution

MITRE Techniques

Actions

GitHub