MDO Hunting - Safe Links Click-Through to Blocked URL
MDO 05 Safe Links Click Through To Blocked URL
Query
UrlClickEvents
| where Timestamp > ago(7d)
| where ActionType == "ClickAllowed" or IsClickedThrough != ""
| where ThreatTypes has_any ("Phish", "Malware")
| project Timestamp, AccountUpn, Url, ThreatTypes, DetectionMethods,
IPAddress, IsClickedThrough, Workload, NetworkMessageId
| sort by Timestamp descExplanation
This KQL query is designed to identify users who have clicked through a Safe Links warning page to access a potentially malicious URL, indicating a possible security compromise. Here's a simple breakdown:
-
Purpose: The query aims to detect users who ignored Safe Links warnings and proceeded to click on links identified as phishing or malware threats. These users are considered at risk of compromise.
-
Data Source: It uses data from the MicrosoftThreatProtection connector, specifically focusing on
UrlClickEvents. -
Time Frame: The query looks at events from the past 7 days.
-
Conditions: It filters for events where the action type is "ClickAllowed" or where there is evidence of a click-through (
IsClickedThroughis not empty), and the threat type is either "Phish" or "Malware". -
Output: The query projects specific details such as the timestamp, user account, URL, threat types, detection methods, IP address, whether the link was clicked through, workload, and network message ID.
-
Actionable Insights: The results help identify users who might have been exposed to threats despite protective measures. Security teams can further investigate these users' sign-in activities for signs of credential theft and consider actions like password resets or session revocations.
-
Tactics and Techniques: It aligns with tactics like Initial Access and Execution, and is relevant to the technique T1204 (User Execution).
This query is a part of a high-value security use case for monitoring and responding to potential threats that bypass initial defenses.
