User clicked through events

Hunt Hypothesis

Users may be clicking through malicious URLs to bypass security controls, indicating potential phishing or credential harvesting attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity before data exfiltration or lateral movement occurs.

KQL Query

UrlClickEvents 
| where ActionType == "ClickAllowed" or IsClickedThrough !="0" 
| where ThreatTypes has "Phish" 
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes

Analytic Rule Definition

id: f075d4c4-cf76-4e5d-9c2d-9ed524286316
name: User clicked through events
description: |
  This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
description-detailed: |
  This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page in Defender for Office 365.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents 
  | where ActionType == "ClickAllowed" or IsClickedThrough !="0" 
  | where ThreatTypes has "Phish" 
  | summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL Click/User clicked through events.yaml)

False Positive Guidance

Scenario: User clicked through a legitimate internal link during a scheduled job execution
Example: A system administrator clicks on a link in an email notification from a monitoring tool like Datadog or Splunk that redirects to an internal dashboard.
Filter/Exclusion: Exclude events where the URL contains known internal domains or matches a list of approved internal tools.
Scenario: User navigated to a safe URL after a phishing simulation drill
Example: An employee clicks on a simulated phishing link during a security training exercise using KnowBe4 or PhishMe, which redirects to a safe internal training page.
Filter/Exclusion: Exclude events where the URL is part of a known phishing simulation domain or matches a list of training URLs.
Scenario: User accessed a URL via a bookmark or shortcut during routine administrative tasks
Example: An admin uses a bookmark to access a PowerShell script or a Windows Task Scheduler job that runs a script on a local machine.
Filter/Exclusion: Exclude events where the URL is a local file path or matches known administrative tools and scripts.
Scenario: User clicked on a URL in a legitimate email from a service provider
Example: A user clicks on a link in an email from Microsoft 365 or Google Workspace that leads to a safe update or support page.
Filter/Exclusion: Exclude events where the URL is from a known trusted service provider or matches a list of whitelisted email domains.
Scenario: User accessed a URL via a browser extension or bookmarklet for legitimate purposes
Example: A developer uses a bookmarklet or browser extension like Postman or Chrome DevTools to test API endpoints or debug code.
Filter/Exclusion: Exclude events where the URL is associated with a