Adversaries may be targeting specific users by embedding phishing URLs in emails, leveraging high-click-rate users to exfiltrate credentials or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of high-value users before lateral movement or data exfiltration occurs.
KQL Query
UrlClickEvents
| where ThreatTypes == "Phish"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
id: a937905e-ee5c-406c-ab86-8e2581240112
name: Top 10 Users clicking on Malicious URLs (Phish)
description: |
Visualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes == "Phish"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Archiving Job Clicking on Phishing URLs
Description: An automated email archiving tool (e.g., Microsoft Exchange Archiving or third-party solutions like Symantec Enterprise Vault) may trigger a click event on a phishing URL during a scheduled job, even though no user intended to click.
Filter/Exclusion: Exclude events where the source is a known archiving or backup service (e.g., source.service = "ExchangeArchiving" or source.service = "EnterpriseVault").
Scenario: User Clicking on a Legitimate URL Mistakenly Believed to be Phishing
Description: A user may click on a legitimate URL (e.g., a company portal or internal system) that was mistakenly flagged as phishing by the email security gateway (e.g., Microsoft Defender for Office 365).
Filter/Exclusion: Exclude events where the URL is from a known internal domain (e.g., url.domain = "internal.company.com" or url.domain = "intranet.company.com").
Scenario: Admin Clicking on a Phishing Link During a Security Test
Description: A security administrator may intentionally click on a phishing link during a red team exercise or security training simulation (e.g., using tools like Metasploit or simulated phishing platforms like PhishMe).
Filter/Exclusion: Exclude events where the user is an admin or has a specific role (e.g., user.role = "Admin" or user.role = "SecurityAdmin").
Scenario: User Clicking on a URL in a Legitimate Email with a Similar Domain
Description: A user may click on a URL that appears similar to a legitimate company domain (e.g., example.com vs. exampel.com) due to a typo or phishing attempt that mimics a real URL.