End users clicking on phishing URLs may indicate successful social engineering attacks aimed at exfiltrating data or deploying malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early.
KQL Query
UrlClickEvents
| where ThreatTypes contains "Phish"
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn
| sort by Blocked desc
id: d24e9c4a-b72a-4a85-89cd-83760ae61155
name: End user malicious clicks
description: |
This query helps reviewing list of top users click on Phis URLs
description-detailed: |
This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes contains "Phish"
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn
| sort by Blocked desc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator clicks on a phishing link during a security awareness training simulation.
Filter/Exclusion: Exclude clicks from users with the role “Security Admin” or those who have accessed the security training portal in the last 7 days.
Scenario: A scheduled job runs a script that includes a legitimate URL from a known security tool (e.g., CrowdStrike Falcon or Microsoft Defender ATP) for automated remediation.
Filter/Exclusion: Exclude URLs that match known security tool domains or are part of scheduled job execution scripts.
Scenario: An end user clicks on a phishing link that was part of a red team exercise during a penetration test.
Filter/Exclusion: Exclude clicks from users who have been flagged as part of a red team exercise or who have accessed the red team portal in the last 30 days.
Scenario: A user clicks on a link from a legitimate email notification about a system update or patch, such as from Microsoft Update or Adobe Acrobat.
Filter/Exclusion: Exclude URLs that match known legitimate update domains or are associated with system maintenance tasks.
Scenario: A developer clicks on a link to a test environment URL (e.g., test.example.com) while debugging an application.
Filter/Exclusion: Exclude URLs that contain specific test environment subdomains or are part of development tooling (e.g., Jenkins, GitLab CI).