Adversaries may be attempting to execute malicious payloads by clicking on URLs categorized under specific threat types, indicating potential phishing or credential compromise efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing campaigns before they lead to data exfiltration or lateral movement.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where isnotempty(ThreatTypes)
| summarize Count = count() by ThreatTypes, bin(Timestamp, 1d)
| render timechart
id: 3eef362d-3aee-4950-9208-4afa6f7afbe9
name: URL Click attempts by threat type
description: |
Visualises the total amount of click attempts on URLs with detections, split by the different threat types identified.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
UrlClickEvents
| where Timestamp >= TimeStart
| where isnotempty(ThreatTypes)
| summarize Count = count() by ThreatTypes, bin(Timestamp, 1d)
| render timechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: User clicks on a legitimate internal URL during a scheduled system maintenance task
Example: A system administrator clicks on a URL in an email notification about a scheduled backup job.
Filter/Exclusion: Exclude URLs containing internal, backup, or maintenance in the domain or path, or filter by user role (e.g., admin or IT).
Scenario: Automated script or tool performs a click action for testing or configuration purposes
Example: A DevOps tool like Azure DevOps or Jenkins clicks on a URL to trigger a CI/CD pipeline configuration.
Filter/Exclusion: Exclude URLs that match known automation tool domains or include query parameters like ?test=true or ?action=configure.
Scenario: User clicks on a phishing link in a legitimate email from a trusted vendor
Example: A user clicks on a link in an email from a vendor like Microsoft or Salesforce that was mistakenly flagged as phishing.
Filter/Exclusion: Exclude URLs from known trusted domains or filter by sender email address (e.g., noreply@Microsoft.com).
Scenario: Scheduled report generation or data export triggers URL clicks
Example: A scheduled job in Power BI or Power Automate clicks on a URL to fetch data from an internal API.
Filter/Exclusion: Exclude URLs that match internal API endpoints or include query parameters like ?export=true or ?report=1.
Scenario: User clicks on a URL in a legitimate support ticket or helpdesk email
Example: A user clicks on a link in a support email from a service desk tool like ServiceNow or Zendesk.
Filter/Exclusion: Exclude URLs that match known support tool domains or include query parameters like ?ticket=12345 or ?support=true.