Adversaries may be attempting to bypass Safe Links by clicking on malicious URLs, indicating potential phishing or credential theft campaigns. SOC teams should proactively hunt for this behavior to identify and mitigate emerging threats before they lead to successful compromises.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where ActionType == "ClickBlocked"
| make-series BlockedClicks = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: ac738108-451b-4341-ba38-021a00665415
name: Blocked Clicks Trend
description: |
Visualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where ActionType == "ClickBlocked"
| make-series BlockedClicks = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Safe Links Policy Update Job
Description: A scheduled job runs to update Safe Links policies, which may temporarily increase the number of blocked clicks as the system synchronizes with new policy rules.
Filter/Exclusion: Exclude events where the Policy Update flag is set or where the source is a known policy management tool (e.g., Microsoft Defender for Office 365 admin center).
Scenario: User Clicking on Internal Training Links
Description: Users may click on internal training links that are mistakenly flagged as malicious by Safe Links due to similar URL patterns.
Filter/Exclusion: Exclude clicks where the URL domain is internal (e.g., *.internal.corp) or where the source is a known training portal (e.g., Microsoft Learn, internal LMS).
Scenario: Automated System Health Check Tool
Description: A system health check tool or diagnostic script may generate clicks on internal diagnostic URLs, which are blocked by Safe Links due to lack of proper whitelisting.
Filter/Exclusion: Exclude events where the source IP is from a known internal monitoring or diagnostic system (e.g., 10.0.0.0/8 or 192.168.0.0/16) or where the user agent matches a known automation tool.
Scenario: Email Campaign with Legitimate Shortened Links
Description: Marketing or HR teams may use shortened URLs (e.g., Bitly, TinyURL) in internal emails, which may be flagged by Safe Links if the shortened domain is not trusted.
Filter/Exclusion: Exclude clicks where the URL is from a known shortening service used internally (e.g., bitly.com, tinyurl.com) or where the email sender is a known internal team (e.g., marketing@company.com).