Query Details

Safe Links Email URL Block Trigger

Email Safe Links Trigger

Query

UrlClickEvents
| where ActionType == 'ClickBlocked'
// Only filter on Safe Links actions from mail
| where Workload == 'Email'
// join the email events
| join kind=leftouter (EmailEvents | project NetworkMessageId, Subject, SenderFromAddress) on NetworkMessageId
| project Timestamp, AccountUpn, Product = Workload, Url, ThreatTypes, Subject, SenderFromAddress, UrlChain

About this query

Explanation

This query is designed to identify and list emails that have triggered a URL block by Safe Links, a security feature that protects users from malicious links in emails. Here's a simplified explanation of the query:

  1. Purpose: The query aims to detect phishing attempts where a user clicks on a malicious link in an email, but the link is blocked by Safe Links, thereby preventing potential harm.

  2. Data Source: It uses logs from Safe Links, specifically looking for actions labeled as "ClickBlocked," which indicates that a URL click was blocked.

  3. Process:

    • It filters events to only include those related to emails.
    • It then joins these events with email data to gather additional information about the email, such as the subject and sender's address.
    • The query compiles details like the timestamp of the event, the user's account, the URL that was blocked, the type of threat, the email subject, and the sender's address.
  4. Outcome: The result is a list of emails with blocked URLs, providing security teams with information to investigate potential phishing incidents further.

  5. Risk Mitigation: Although a phishing campaign might be underway, the risk is minimized because the malicious URL was blocked, preventing the user from accessing it.

  6. Prerequisite: This query will only return results if Safe Links is enabled in the environment.

Overall, this query helps security teams monitor and respond to phishing attempts by identifying emails with blocked URLs, thus enhancing the organization's email security posture.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

UrlClickEventsEmailEvents

Keywords

UrlClickEventsEmailAccountUpnProductThreatTypesSubjectSenderFromAddressChain

Operators

|where==//joinkind=leftouter()project=

MITRE Techniques

Actions

GitHub