Query Details

M365 Copilot Gone Rouge

Query

// https://www.linkedin.com/posts/0x534c_cybersecurity-safelinkprotection-maliciousurl-activity-7325956438965518337-JV3o

UrlClickEvents
| where Timestamp > ago(1h)
| where Workload == "Copilot"
| where ActionType == "ClickBlocked"
| project Timestamp, AccountUpn, Url, UrlChain, IPAddress

Explanation

This query is analyzing data from a table called UrlClickEvents. It is looking for events that happened within the last hour where the workload is "Copilot" and the action taken was "ClickBlocked," meaning a click on a URL was blocked. The query then selects and displays specific details about these events: the time they occurred (Timestamp), the user account involved (AccountUpn), the URL that was clicked (Url), the sequence of URLs that led to the blocked click (UrlChain), and the IP address from which the click attempt was made (IPAddress).

Details

Steven Lim profile picture

Steven Lim

Released: May 10, 2025

Tables

UrlClickEvents

Keywords

UrlClickEventsTimestampWorkloadActionTypeAccountUpnChainIPAddress

Operators

agowhereproject

Actions

GitHub