Safe Links Email URL Block Trigger
Email Safe Links Trigger
Query
UrlClickEvents
| where ActionType == 'ClickBlocked'
// Only filter on Safe Links actions from mail
| where Workload == 'Email'
// join the email events
| join kind=leftouter (EmailEvents | project NetworkMessageId, Subject, SenderFromAddress) on NetworkMessageId
| project Timestamp, AccountUpn, Product = Workload, Url, ThreatTypes, Subject, SenderFromAddress, UrlChainAbout this query
Explanation
This query is designed to identify and list emails that have triggered a URL block by Safe Links, a security feature that protects users from malicious links in emails. Here's a simplified explanation of the query:
-
Purpose: The query aims to detect phishing attempts where a user clicks on a malicious link in an email, but the link is blocked by Safe Links, thereby preventing potential harm.
-
Data Source: It uses logs from Safe Links, specifically looking for actions labeled as "ClickBlocked," which indicates that a URL click was blocked.
-
Process:
- It filters events to only include those related to emails.
- It then joins these events with email data to gather additional information about the email, such as the subject and sender's address.
- The query compiles details like the timestamp of the event, the user's account, the URL that was blocked, the type of threat, the email subject, and the sender's address.
-
Outcome: The result is a list of emails with blocked URLs, providing security teams with information to investigate potential phishing incidents further.
-
Risk Mitigation: Although a phishing campaign might be underway, the risk is minimized because the malicious URL was blocked, preventing the user from accessing it.
-
Prerequisite: This query will only return results if Safe Links is enabled in the environment.
Overall, this query helps security teams monitor and respond to phishing attempts by identifying emails with blocked URLs, thus enhancing the organization's email security posture.
