Users are bypassing SmartScreen URL blocking mechanisms to execute potentially malicious files, indicating possible adversary attempts to evade basic security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware execution attempts that circumvent standard browser protections.
KQL Query
let minTimeRange = ago(7d);
let smartscreenUrlBlocks =
DeviceEvents
| where ActionType == "SmartScreenUrlWarning" and Timestamp > minTimeRange
// Filter out SmartScreen test URLs under https://demo.smartscreen.msft.net/
and RemoteUrl !startswith "https://demo.smartscreen.msft.net/"
| extend ParsedFields=parse_json(AdditionalFields)
| project Timestamp, DeviceName, BlockedUrl=RemoteUrl, Recommendation=tostring(ParsedFields.Recommendation), Experience=tostring(ParsedFields.Experience), ActivityId=tostring(ParsedFields.ActivityId);
// Query for UserDecision events - each one means the user has decided to ignore the warning and run the app.
let userIgnoredWarning=
DeviceEvents
| where ActionType == "SmartScreenUserOverride" and Timestamp > minTimeRange
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string));
// Join the block and user decision event using an ActivityId
let ignoredBlocks = smartscreenUrlBlocks | join kind=leftsemi (userIgnoredWarning) on DeviceName, ActivityId | project-away ActivityId;
// Optional additional filter - look only for cases where a file was downloaded from Microsoft Edge following the URL block being ignored
let edgeDownloads =
DeviceFileEvents
| where Timestamp > minTimeRange and InitiatingProcessFileName =~ "browser_broker.exe"
| summarize (DownloadTime, SHA1) = argmax(Timestamp, SHA1) by FileName, DeviceName, FileOriginUrl, FileOriginReferrerUrl;
ignoredBlocks
| join kind=inner (edgeDownloads) on DeviceName
| where DownloadTime - Timestamp between (0min .. 2min)
| project-away DeviceName1
id: 172e5bee-9298-4c59-bd2a-e96d87e8e6d8
name: SmartScreen URL block ignored by user
description: |
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless.
An additional optional filter is applied to query only for cases where Microsoft Edge has downloaded a file shortly after the ignored block.
Read more about SmartScreen here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.
Data availability: These events are available only on Windows 10 version 1703 and onwards.
Tags: #SmartScreen.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceFileEvents
query: |
let minTimeRange = ago(7d);
let smartscreenUrlBlocks =
DeviceEvents
| where ActionType == "SmartScreenUrlWarning" and Timestamp > minTimeRange
// Filter out SmartScreen test URLs under https://demo.smartscreen.msft.net/
and RemoteUrl !startswith "https://demo.smartscreen.msft.net/"
| extend ParsedFields=parse_json(AdditionalFields)
| project Timestamp, DeviceName, BlockedUrl=RemoteUrl, Recommendation=tostring(ParsedFields.Recommendation), Experience=tostring(ParsedFields.Experience), ActivityId=tostring(ParsedFields.ActivityId);
// Query for UserDecision events - each one means the user has decided to ignore the warning and run the app.
let userIgnoredWarning=
DeviceEvents
| where ActionType == "SmartScreenUserOverride" and Timestamp > minTimeRange
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string));
// Join the block and user decision event using an ActivityId
let ignoredBlocks = smartscreenUrlBlocks | join kind=leftsemi (userIgnoredWarning) on DeviceName, ActivityId | project-away ActivityId;
// Optional additional filter - look only for cases where a file was downloaded from Microsoft Edge following the URL block being ignored
let edgeDownloads =
DeviceFileEvents
| where Timestamp > minTimeRange and InitiatingProcessFileName =~ "browser_broker.exe"
| summarize (DownloadTime, SHA1) = argmax(Timestamp, SHA1) by FileName, DeviceName, FileOriginUrl, FileOriginReferrerUrl;
ignoredBlocks
| join kind=inner (edgeDownloads) on DeviceName
| where DownloadTime - Timestamp between (0min .. 2min)
| project-away DeviceName1
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: User manually bypasses SmartScreen for a known safe file
Description: A user downloads a legitimate file (e.g., a software update or a trusted document) and explicitly bypasses SmartScreen in Microsoft Edge.
Filter/Exclusion: Check for known safe file extensions (e.g., .msi, .exe from trusted vendors) or use a file reputation service (e.g., Microsoft Defender ATP) to validate the file’s safety before triggering an alert.
Scenario: Scheduled job downloads a file with SmartScreen bypass
Description: A system administrator runs a scheduled task (e.g., using Task Scheduler or PowerShell) that downloads a file (e.g., a patch or configuration file) and bypasses SmartScreen.
Filter/Exclusion: Filter by process name (e.g., schtasks.exe, powershell.exe) or check for the presence of a trusted admin task (e.g., Update-AppxPackage or WindowsUpdate) in the command line.
Scenario: Admin uses InPrivate browsing to bypass SmartScreen
Description: An administrator uses Microsoft Edge’s InPrivate mode to download a file, which may bypass SmartScreen prompts.
Filter/Exclusion: Check for the presence of the InPrivate flag in the Edge process or filter by the user context (e.g., admin user with elevated privileges).
Scenario: User downloads a file from a trusted internal URL
Description: A user downloads a file from an internal company server (e.g., via a local intranet URL) and bypasses SmartScreen, which is expected in a corporate environment.
Filter/Exclusion: Filter by URL domain (e.g., internal.company.com) or check for internal IP ranges (e.g., 10.0.0.0/8, `172.1