Users clicking on malicious inbound emails may indicate successful phishing attempts leading to potential credential compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing attacks before they escalate.
KQL Query
let UrlClicked = (UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| extend Device_IPv4 = IPAddress
| project ActionType, Device_IPv4, Url, UrlChain, IPAddress, NetworkMessageId);
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes) and EmailDirection == "Inbound"
| where ThreatTypes has_any ("Malware", "Phish")
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| join kind = inner UrlClicked on NetworkMessageId
| project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy
id: 891f4865-75e5-4d40-bc24-ebf97da3ca9a
name: User clicks on malicious inbound emails
description: |
This query provides insights on users who clicked on a suspicious URL
description-detailed: |
This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days using Defender for Office 365 Data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let UrlClicked = (UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| extend Device_IPv4 = IPAddress
| project ActionType, Device_IPv4, Url, UrlChain, IPAddress, NetworkMessageId);
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes) and EmailDirection == "Inbound"
| where ThreatTypes has_any ("Malware", "Phish")
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| join kind = inner UrlClicked on NetworkMessageId
| project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: User clicks on a phishing link in a legitimate marketing email
Filter/Exclusion: Exclude emails from known marketing domains (e.g., example.com, newsletter.com) using a tool like Microsoft Defender for Office 365 or Cisco Secure Email Gateway. Add these domains to a safe list in the email security platform.
Scenario: User clicks on a URL in a support ticket or internal communication tool
Filter/Exclusion: Exclude URLs originating from internal communication platforms like Microsoft Teams, Slack, or Zoom by checking the source IP or domain. Use SIEM correlation rules to filter clicks from internal tools.
Scenario: User clicks on a link in a scheduled job or automation script
Filter/Exclusion: Exclude clicks from known automation tools like PowerShell, Python scripts, or Ansible by checking the user agent or process owner. Use Windows Event Log analysis to identify script-based clicks.
Scenario: User clicks on a URL in a legitimate external service (e.g., Google Drive, Dropbox)
Filter/Exclusion: Exclude URLs from trusted external services by adding them to a whitelist in the email security tool. Use URL filtering rules in Cisco Firepower or Palo Alto Networks to block false positives.
Scenario: User clicks on a link in a test email or training phishing simulation
Filter/Exclusion: Exclude clicks from phishing training platforms like KnowBe4 or PhishMe by checking the email subject or sender. Use email header analysis to identify training emails and add them to a training list in the email security system.