← Back to SOC feed Coverage →

URLs by location

kql MEDIUM Azure-Sentinel
T1566
EmailUrlInfo
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-19T11:00:00Z · Confidence: medium

Hunt Hypothesis

Visualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk. Based on Defender for Office 36

KQL Query

EmailUrlInfo
| summarize Count = count() by UrlLocation
| render piechart

Analytic Rule Definition

id: ab006655-d723-4844-9d5d-91cb3b020555
name: URLs by location
description: |
  Visualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk.
  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailUrlInfo
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailUrlInfo
  | summarize Count = count() by UrlLocation
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel TableNotes
EmailUrlInfoEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL/URLs by location.yaml