Adversaries may be leveraging spam emails to deliver malicious URLs, targeting specific users to compromise their accounts or spread malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing attempts and mitigate lateral movement risks.
KQL Query
UrlClickEvents
| where ThreatTypes == "Spam"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
id: 3a2fdf32-ebe7-4f65-a1c3-fc7faf23ae90
name: Top 10 Users clicking on Malicious URLs (Spam)
description: |
Visualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes == "Spam"
| summarize count() by AccountUpn
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A user clicks on a legitimate marketing email that was mistakenly flagged as spam by the email filtering system.
Filter/Exclusion: Exclude URLs from known marketing domains (e.g., example.com, brand.com) using a custom list in Microsoft Defender for Office 365 or Microsoft 365 Defender. Apply a URL reputation filter to exclude URLs with a positive reputation.
Scenario: A system administrator clicks on a phishing email during a security awareness training exercise.
Filter/Exclusion: Create a user group for administrators and apply a user-based exclusion in Microsoft Defender for Office 365 to exclude clicks from this group. Alternatively, use Microsoft 365 Defender to tag these users as “training” and filter out their activity.
Scenario: A scheduled job or automated script (e.g., PowerShell or Python) processes emails and clicks on URLs as part of data extraction or parsing.
Filter/Exclusion: Exclude activity from service accounts or automation accounts in Microsoft 365 Defender. Use user principal name (UPN) or object ID to identify and filter out these accounts.
Scenario: A user clicks on a URL in an internal email that was flagged as spam due to a false positive in the Microsoft Defender for Office 365 spam filter.
Filter/Exclusion: Use Microsoft 365 Defender to create a custom spam filter rule that excludes internal domains (e.g., internal.company.com) or specific senders. Alternatively, use suppression rules in Exchange Online to bypass spam filtering for trusted internal senders.
Scenario: A user clicks on a URL in an email from a legitimate partner or vendor that was misclassified as spam.
**Filter