Adversaries may be leveraging compromised user accounts to click on malicious URLs, thereby initiating malware delivery or phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or compromised accounts early.
KQL Query
UrlClickEvents
| where ThreatTypes has_any ("Malware", "Phish", "Spam")
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
id: 7d7a3d3f-22db-4cdf-ba67-c57215777a3c
name: Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam)
description: |
Visualises the top 10 users with click attempts on URLs in emails detected as malware, phishing, or spam, helping analysts identify risky user behaviour and potential targets.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes has_any ("Malware", "Phish", "Spam")
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A user clicks on a legitimate marketing email link that is mistakenly flagged as spam by the email security gateway (e.g., Microsoft Defender for Office 365).
Filter/Exclusion: Exclude URLs from known marketing domains (e.g., example.com, brand.com) using a custom list in the email security policy or via a suppression rule in Microsoft Defender for Office 365.
Scenario: A system administrator clicks on a phishing simulation link deployed by the security team as part of a training exercise.
Filter/Exclusion: Exclude URLs from internal security training domains (e.g., training.example.com, phishsim.example.com) using a custom exclusion list in the email filtering rules or via a suppression rule in Microsoft Defender for Office 365.
Scenario: A scheduled job or automated script (e.g., a PowerShell script running via Task Scheduler) clicks on a URL to validate a link or fetch data from an internal API.
Filter/Exclusion: Exclude URLs from internal IP ranges or internal domains (e.g., internal-api.example.com) using a custom list in the email filtering policy or by configuring the script to bypass the email security check.
Scenario: A user clicks on a URL in a legitimate support email from a trusted vendor (e.g., Microsoft, Google) that is falsely classified as phishing due to a false positive in the email security engine.
Filter/Exclusion: Exclude URLs from known trusted vendors using a custom list in the email security policy or via a suppression rule in Microsoft Defender for Office 365.
Scenario: A user clicks on a URL in an email from a legitimate partner or customer that is flagged as spam due to a misconfigured email security rule or a false positive from the threat intelligence feed.
Filter/Exclusion: Exclude URLs from specific partner domains (e.g., `partner.example.com