User clicks on phishing URLs in emails

Hunt Hypothesis

Users may click on phishing URLs in emails, indicating potential credential theft or malware delivery, and SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing attacks before they lead to data exfiltration or system compromise.

KQL Query

UrlClickEvents 
| where ThreatTypes has "Phish" 
| join EmailEvents on NetworkMessageId,  $left.AccountUpn == $right.RecipientEmailAddress 
| project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction

Analytic Rule Definition

id: d823da0e-1334-4a66-8ff4-2c2c40d26295
name: User clicks on phishing URLs in emails
description: |
  This query helps in determining clickthroughs when email delivered because of detection overrides.
description-detailed: |
  This query helps in determining clickthroughs, potential deliveries through User/Tenant overrides and detection details for malicious clicks on URLs in emails
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - UrlClickEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  UrlClickEvents 
  | where ThreatTypes has "Phish" 
  | join EmailEvents on NetworkMessageId,  $left.AccountUpn == $right.RecipientEmailAddress 
  | project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/URL Click/User clicks on phishing URLs in emails.yaml)

False Positive Guidance

Scenario: User clicks on a legitimate internal URL in an email (e.g., internal ticketing system)
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., *.internal.company.com) using a regex or IP address whitelisting in the SIEM.
Scenario: Scheduled job or automation tool clicks on a URL for testing or configuration
Filter/Exclusion: Exclude events where the user is a service account or system account (e.g., svc-automation, system, or root) using user/group filtering in the SIEM.
Scenario: Admin clicks on a phishing URL during a security awareness training simulation
Filter/Exclusion: Exclude events where the user is a security admin or has a role like security-training using role-based filtering in the SIEM.
Scenario: User clicks on a URL in an email from a trusted vendor for a legitimate support request
Filter/Exclusion: Exclude URLs from known trusted vendors (e.g., support.examplevendor.com) using a custom list or IP address whitelisting in the SIEM.
Scenario: User clicks on a URL in an email from a legitimate partner for a business process (e.g., contract signing)
Filter/Exclusion: Exclude URLs from known partner domains (e.g., partners.companyname.com) using a domain-based exclusion list in the SIEM.