User navigation to redirected URL

Hunt Hypothesis

Adversaries may use redirected URLs to bypass security controls and execute malicious payloads by leveraging trusted domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or phishing attempts that evade standard detection mechanisms.

KQL Query

DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"
| extend ParsedUrl = parse_url(RemoteUrl)
| extend ParameterKeys = bag_keys(ParsedUrl.['Query Parameters'])
| mv-apply ParameterKeys to typeof(string) on (
    where ParameterKeys in~ ('url','redirect','external-link','proxy')
    | extend ParameterValue = tostring(ParsedUrl.['Query Parameters'].[ParameterKeys])
    | where ParameterValue startswith "http"
    | extend RedirectedUrl = url_decode(ParameterValue)
    | extend ParsedRedirectUrl = parse_url(RedirectedUrl)
)
| extend 
    OriginalDomain = ParsedUrl.Host, 
    RedirectedDomain = tostring(ParsedRedirectUrl.Host)
| where 
    OriginalDomain !~ RedirectedDomain 
    and OriginalDomain !endswith '.safelinks.protection.outlook.com'
| extend 
    oTLD = tostring(split(OriginalDomain, '.')[-1]), 
    oSLD = tostring(split(OriginalDomain, '.')[-2]),
    rTLD = tostring(split(RedirectedDomain, '.')[-1]), 
    rSLD = tostring(split(RedirectedDomain, '.')[-2])
| extend 
    OriginalSLD = strcat(oSLD, '.', oTLD), 
    RedirectedSLD = strcat(rSLD, '.', rTLD)
| project-reorder 
    OriginalDomain, 
    RedirectedDomain, 
    OriginalSLD, 
    RedirectedSLD, 
    RemoteUrl, 
    RedirectedUrl

Analytic Rule Definition

id: daf19704-a996-4df7-9a0b-3efac47fea5a
name: User navigation to redirected URL
description: |
  This query identifies when a user clicks a link that opens a browser to navigate to a URL
  which uses redirection. It then filters out any redirections to URLs in the same DNS namespace
  as the originating URL. Redirection identification is done based on URL query parameters 
  outlined in the following article: https://www.bleepingcomputer.com/news/security/snapchat-amex-sites-abused-in-microsoft-365-phishing-attacks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566.002
query: |
  DeviceEvents
  | where ActionType == "BrowserLaunchedToOpenUrl"
  | extend ParsedUrl = parse_url(RemoteUrl)
  | extend ParameterKeys = bag_keys(ParsedUrl.['Query Parameters'])
  | mv-apply ParameterKeys to typeof(string) on (
      where ParameterKeys in~ ('url','redirect','external-link','proxy')
      | extend ParameterValue = tostring(ParsedUrl.['Query Parameters'].[ParameterKeys])
      | where ParameterValue startswith "http"
      | extend RedirectedUrl = url_decode(ParameterValue)
      | extend ParsedRedirectUrl = parse_url(RedirectedUrl)
  )
  | extend 
      OriginalDomain = ParsedUrl.Host, 
      RedirectedDomain = tostring(ParsedRedirectUrl.Host)
  | where 
      OriginalDomain !~ RedirectedDomain 
      and OriginalDomain !endswith '.safelinks.protection.outlook.com'
  | extend 
      oTLD = tostring(split(OriginalDomain, '.')[-1]), 
      oSLD = tostring(split(OriginalDomain, '.')[-2]),
      rTLD = tostring(split(RedirectedDomain, '.')[-1]), 
      rSLD = tostring(split(RedirectedDomain, '.')[-2])
  | extend 
      OriginalSLD = strcat(oSLD, '.', oTLD), 
      RedirectedSLD = strcat(rSLD, '.', rTLD)
  | project-reorder 
      OriginalDomain, 
      RedirectedDomain, 
      OriginalSLD, 
      RedirectedSLD, 
      RemoteUrl, 
      RedirectedUrl

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566.002 — T1566.002

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Initial access/User navigation to redirected URL.yaml)

False Positive Guidance

• Scenario: A user clicks on a link in an internal documentation portal that redirects to a company’s internal login page (e.g., https://internal.example.com/login).
  Filter/Exclusion: Exclude URLs that match the internal domain (example.com) using a regex or DNS namespace check in the SIEM.

• Scenario: A system administrator runs a scheduled job that uses a script to redirect to a local test server (e.g., http://localhost:8080/test) for automated testing.
  Filter/Exclusion: Exclude traffic originating from known administrative tools or scheduled jobs (e.g., cron, task scheduler, or PowerShell scripts with specific command-line arguments).

• Scenario: A user navigates to a legitimate phishing simulation link that redirects to a mock phishing page hosted on the company’s internal network (e.g., https://phishing-sim.example.com).
  Filter/Exclusion: Exclude URLs that are part of the company’s phishing simulation program and are pre-approved in the SIEM or EDR system.

• Scenario: A user accesses a legitimate internal tool that uses OAuth redirect flow (e.g., https://auth.example.com/oauth2callback) after logging in through an external identity provider.
  Filter/Exclusion: Exclude URLs that match known OAuth redirect endpoints or are part of the company’s SSO infrastructure.

• Scenario: A DevOps engineer uses a CI/CD pipeline tool (e.g., Jenkins, GitLab CI) to trigger a redirect to a staging environment URL (e.g., https://staging.example.com).
  Filter/Exclusion: Exclude traffic initiated by CI/CD tools or from known DevOps infrastructure IPs or hostnames.