Adversaries may be leveraging social engineering tactics to compromise high-value users by clicking on malicious URLs, which aligns with MITRE T1566. Proactively hunting for this behavior in Azure Sentinel enables early detection of potential insider threats and limits lateral movement within the network.
KQL Query
UrlClickEvents
| where ThreatTypes == "Malware"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
id: 5a84e13a-bb17-4124-9564-d74cdb84c124
name: Top 10 Users clicking on Malicious URLs (Malware)
description: |
Visualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes == "Malware"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator clicks on a phishing link in a test email during a security awareness training exercise.
Filter/Exclusion: Exclude users with the “Admin” role or those who have access to the security training portal. Example: user_email contains "admin@" or user_email contains "training@"
Scenario: A scheduled job or automation tool (e.g., Power Automate) processes an email containing a benign URL as part of a data migration or reporting task.
Filter/Exclusion: Exclude events where the email is part of a known automation process. Example: email_subject contains "Data Migration" or email_subject contains "Report Generation"
Scenario: A user clicks on a URL in an email from a legitimate vendor (e.g., Microsoft, Google) that is mistakenly flagged as malicious by the email security gateway.
Filter/Exclusion: Exclude URLs from known trusted domains. Example: url contains "microsoft.com" or url contains "google.com"
Scenario: A user clicks on a URL in an internal email that was shared via a shared mailbox or distribution list, which was flagged due to a false positive in the URL filtering engine.
Filter/Exclusion: Exclude clicks from shared mailboxes or distribution lists. Example: sender_email contains "sharedmailbox@" or sender_email contains "distlist@"
Scenario: A user clicks on a URL in an email that is part of a legitimate marketing campaign, which was incorrectly classified as malicious by the email security solution.
Filter/Exclusion: Exclude URLs from known marketing domains or campaigns. Example: url contains "example.com/marketing" or url contains "campaign-2024"