Adversaries may be clicking on malicious URLs embedded in phishing emails to exfiltrate data or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
KQL Query
AlertInfo
| where Title contains "Potentially malicious" and Timestamp > ago (30d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
id: 03e61096-20d0-46eb-b8e0-a507dd00a19f
name: URLClick details based on malicious URL click alert
description: |
In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
description-detailed: |
In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected in Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
- Alertinfo
- AlertEvidence
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
AlertInfo
| where Title contains "Potentially malicious" and Timestamp > ago (30d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator clicks on a URL in an internal email to access a remote server for maintenance tasks.
Filter/Exclusion: Exclude URLs that match internal IP ranges or domains used by the organization’s infrastructure (e.g., internal.company.com, 10.0.0.0/8). Use a filter like url contains "internal.company.com" or url contains "10.0.0.1".
Scenario: A scheduled job or automated script clicks on a URL to fetch updates from a trusted external API.
Filter/Exclusion: Exclude URLs that are known to be used by internal automation tools (e.g., api.update.service.com). Use a filter like url contains "api.update.service.com" or process.name contains "update_scheduler".
Scenario: An IT support technician clicks on a phishing email link that was mistakenly sent to their inbox, but the email is from a legitimate domain.
Filter/Exclusion: Exclude emails from known internal or trusted domains (e.g., support@company.com, admin@company.com). Use a filter like email.from contains "support@company.com" or email.from contains "admin@company.com".
Scenario: A user clicks on a URL in an email from a legitimate vendor (e.g., a software update notification) that is hosted on a third-party site.
Filter/Exclusion: Exclude URLs from known vendors or partners (e.g., updates.vendor.com). Use a filter like url contains "updates.vendor.com" or email.from contains "vendor-support@vendor.com".
Scenario: A user clicks on a URL in an email that is part of a legitimate marketing campaign (e.g., a product demo link).
Filter/Exclusion: Exclude URLs from known marketing domains (e.g., marketing.company.com, `demo.product