Adversaries may use malicious URLs disguised as legitimate links to exfiltrate data or deliver payloads, leveraging SafeLinks to bypass traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing or credential theft campaigns that evade standard security controls.
KQL Query
EmailEvents
| where DetectionMethods != ""
| extend detection= tostring(parse_json(DetectionMethods).Phish)
| where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]'
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
id: 492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9
name: SafeLinks URL detections
description: |
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
description-detailed: |
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-links-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
| extend detection= tostring(parse_json(DetectionMethods).Phish)
| where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]'
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate SafeLinks URL redirection during email processing
Description: A user clicks on a SafeLinks-redirected URL as part of normal email processing (e.g., clicking on a link in an email to access a company resource).
Filter/Exclusion: Exclude URLs that match known internal SafeLinks redirect domains (e.g., safe.links.microsoft.com) or use a filter based on the SafeLinksRedirectUrl field.
Scenario: Scheduled system maintenance task using SafeLinks
Description: A scheduled task or script (e.g., Microsoft Defender for Office 365 maintenance job) uses SafeLinks to scan or process URLs as part of routine system checks.
Filter/Exclusion: Exclude events where the source is a known system task or service (e.g., Microsoft Defender for Office 365 or Microsoft 365 Defender).
Scenario: Admin manually testing SafeLinks protection
Description: An administrator is testing SafeLinks functionality by clicking on test URLs or using the SafeLinks test page to validate protection.
Filter/Exclusion: Exclude events where the user is an admin or where the URL is from a known test domain (e.g., test.safe.links or safe.links.microsoft.com/test).
Scenario: Internal tool or service using SafeLinks for URL filtering
Description: An internal tool (e.g., Microsoft Teams, Power Automate, or Exchange Online) uses SafeLinks to filter URLs as part of its normal operation.
Filter/Exclusion: Exclude events where the source is an internal application or service (e.g., Microsoft Teams, Exchange Online, or Power Automate).
Scenario: User accessing a legitimate external link via SafeLinks
Description: A user accesses a legitimate external link (e.g., a partner