Query Details

MDO — Safe Links Click-Through to Malicious URL

MDO AR 01 Safe Links Click Through

Query

UrlClickEvents
| where Timestamp > ago(1h)
| where ActionType == "ClickAllowed" or (isnotempty(IsClickedThrough) and IsClickedThrough != "0")
| where ThreatTypes has_any ("Phish", "Malware")
| where isnotempty(AccountUpn)
| project Timestamp, ReportId, AccountUpn, Url, ThreatTypes, DetectionMethods,
          IPAddress, IsClickedThrough, Workload, NetworkMessageId

Explanation

This query is designed to detect when a user clicks on a URL that has been classified as phishing or malware by Microsoft Defender for Office 365's Safe Links feature. Here's a simplified breakdown:

  • Purpose: The query identifies instances where users click on potentially harmful links, which are flagged as phishing or malware threats. This is considered a high-confidence indicator of a security compromise.

  • Data Source: It uses data from the UrlClickEvents table, which logs events related to URL clicks.

  • Time Frame: The query checks for events that occurred within the last hour.

  • Conditions:

    • It looks for URLs that were either allowed to be clicked or where users clicked through a warning page.
    • The URLs must be classified as either "Phish" or "Malware".
    • The query ensures that the user's account information (AccountUpn) is available.
  • Output: The query projects (selects) specific fields such as the timestamp of the event, user account, URL, threat type, detection methods, IP address, and more.

  • Alerting:

    • If any such events are detected, an alert is generated with a high severity level.
    • The alert includes details like the user's account and the type of threat.
    • The alert message advises treating the event as a potential compromise, suggesting actions like reviewing sign-ins and resetting credentials.
  • Incident Management:

    • The query is configured to create an incident for each alert.
    • Incidents are grouped by user account to manage related alerts together.
    • The system will not reopen closed incidents but will group new alerts with existing incidents if they occur within a 5-hour window.

Overall, this query helps security teams quickly identify and respond to potential security threats from malicious URLs clicked by users.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

UrlClickEvents

Keywords

UrlClickEventsAccountIPAddressThreatTypesDetectionMethodsWorkloadNetworkMessageIdTimestampReport

Operators

agohas_anyisnotemptyorprojectwhere

Severity

High

Tactics

InitialAccessExecution

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub