An adversary may be attempting to execute malicious content by launching a browser to open a suspicious URL, which could lead to phishing or malware delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise attempts early and prevent further lateral movement or data exfiltration.
KQL Query
// Some URL are wrapped with a safelink
// Let's get the the unwrapped url and clicks
AlertInfo
| where ServiceSource =~ "Microsoft Defender for Office 365"
| join (
AlertEvidence
| where EntityType =="Url"
| project AlertId, RemoteUrl
)
on AlertId
| join (
AlertEvidence
| where EntityType =="MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
// Get the unique NetworkMessageId for the email containing the Url
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
// Get the email RecipientEmailAddress and ObjectId from the email
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
// get the UserSid of the Recipient
| extend OnPremSid = AccountSID
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, OnPremSid
// Get the Url click event on the recipient device.
| join kind = inner
(DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project UrlDeviceClickTime = Timestamp , UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName
)
on $left.OnPremSid == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName
| sort by UrlDeviceClickTime desc
id: 959f8d6a-53b8-488f-a628-999b3410702e
name: SuspiciousUrlClicked
description: |
This query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP.
This event reflects relevant clicks on the malicious URL in the spear-phishing email recognized by Microsoft Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- EmailEvents
- IdentityInfo
- DeviceEvents
tactics:
- Initial access
query: |
// Some URL are wrapped with a safelink
// Let's get the the unwrapped url and clicks
AlertInfo
| where ServiceSource =~ "Microsoft Defender for Office 365"
| join (
AlertEvidence
| where EntityType =="Url"
| project AlertId, RemoteUrl
)
on AlertId
| join (
AlertEvidence
| where EntityType =="MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
// Get the unique NetworkMessageId for the email containing the Url
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
// Get the email RecipientEmailAddress and ObjectId from the email
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
// get the UserSid of the Recipient
| extend OnPremSid = AccountSID
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, OnPremSid
// Get the Url click event on the recipient device.
| join kind = inner
(DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project UrlDeviceClickTime = Timestamp , UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName
)
on $left.OnPremSid == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName
| sort by UrlDeviceClickTime desc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: User clicks on a legitimate internal URL during a scheduled system update
Description: A user clicks on a URL in an email notification about a scheduled system update, which is hosted internally.
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., *.internal.company.com) or URLs containing known update-related paths (e.g., /update/, /patch/).
Scenario: Admin accesses a secure internal portal to manage user permissions
Description: An admin clicks on a URL from a secure internal portal (e.g., Azure AD admin center) to configure user roles.
Filter/Exclusion: Exclude URLs that match internal admin domains (e.g., *.admin.microsoft.com, *.azure.com) or URLs that include admin-specific paths (e.g., /users/, /roles/).
Scenario: Scheduled job runs a script that opens a URL for data synchronization
Description: A scheduled task (e.g., SyncDataJob.exe) runs a script that opens a URL to synchronize data with a third-party service.
Filter/Exclusion: Exclude events where the browser launch is initiated by a scheduled task (e.g., Task Scheduler or cron job) or where the URL is known to be part of a data sync process.
Scenario: User clicks on a phishing email link that mimics a legitimate internal URL
Description: A user receives a phishing email that mimics a legitimate internal URL (e.g., https://internal.company.com/login) and clicks on it.
Filter/Exclusion: Exclude URLs that are flagged as phishing by Microsoft Defender for Office 365 or that match known phishing URL patterns (e.g., *.phishing.com, *.malicious.com).
**Scenario: IT team uses a tool like PowerShell to open a URL