Malicious URL Clicks by workload

Hunt Hypothesis

Adversaries may be clicking on malicious URLs through specific workloads to exfiltrate data or deploy payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate targeted attacks leveraging commonly used workloads.

KQL Query

UrlClickEvents
| where isnotempty(ThreatTypes)
| summarize count() by Workload
| render piechart

Analytic Rule Definition

id: c2b4ef3a-216d-4506-8b35-6a1b0f2a3bf7
name: Malicious URL Clicks by workload
description: |
  Visualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted.
  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents
  | where isnotempty(ThreatTypes)
  | summarize count() by Workload
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL/Malicious URL Clicks by workload.yml)

False Positive Guidance

Scenario: Scheduled Job Fetching Updates from a Trusted Repository
Description: A system management tool like Windows Server Update Services (WSUS) or Microsoft Intune may attempt to click a URL to fetch updates from a known, legitimate source.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.microsoft.com) or use a custom field like url_category = "trusted_update".
Scenario: Admin Task to Reset Password via a Legitimate Portal
Description: An admin might click a URL from Azure Active Directory (AAD) or Microsoft 365 Admin Center to reset a user’s password.
Filter/Exclusion: Exclude URLs that match AAD or Microsoft 365 admin domains (e.g., login.microsoftonline.com, admin.microsoft.com) or use a custom field like url_category = "admin_portal".
Scenario: User Clicking on a Legitimate Support Link from Microsoft 365
Description: A user may click a link in Microsoft Teams or Outlook that leads to a Microsoft support page (e.g., https://support.microsoft.com).
Filter/Exclusion: Exclude URLs containing support.microsoft.com or use a custom field like url_category = "support".
Scenario: Automated Backup Job Using a Legitimate Cloud Storage URL
Description: A backup tool like Veeam or Azure Backup may attempt to click a URL to access a cloud storage bucket (e.g., https://blob.core.windows.net).
Filter/Exclusion: Exclude URLs that match known cloud storage endpoints (e.g., blob.core.windows.net, *.azure.com) or use a custom field like url_category = "cloud_storage".
**Scenario