Query Details

MDO Hunting - Users Who Clicked Later-Confirmed Malicious Mail

MDO 06 Users Clicked Confirmed Malicious

Query

let MaliciousMail =
    EmailEvents
    | where Timestamp > ago(14d)
    | where ThreatTypes has_any ("Phish", "Malware")
    | project NetworkMessageId, RecipientEmailAddress, Subject, ThreatTypes;
UrlClickEvents
| where Timestamp > ago(14d)
| join kind=inner MaliciousMail on NetworkMessageId
| project Timestamp, AccountUpn, Url, Subject, ThreatTypes, IsClickedThrough,
          IPAddress, Workload
| sort by Timestamp desc

Explanation

This query is designed to identify users who have clicked on links in emails that were identified as malicious, either at the time of receipt or later. Here's a simplified breakdown:

  1. Purpose: The query aims to correlate email events with URL click events to identify users who interacted with potentially harmful emails. This helps in pinpointing individuals who might be at risk due to phishing or malware campaigns.

  2. Data Sources: It uses data from Microsoft Threat Protection, specifically focusing on two types of events:

    • EmailEvents: Information about emails, including their threat status.
    • UrlClickEvents: Information about URLs clicked within emails.
  3. Process:

    • First, it filters email events from the last 14 days to find those marked as "Phish" or "Malware."
    • It then joins this data with URL click events from the same period, matching them based on a unique identifier (NetworkMessageId).
    • The result is a list of users who clicked on links in these malicious emails.
  4. Output: The query provides details such as the timestamp of the click, the user's account identifier (AccountUpn), the URL clicked, email subject, threat types, whether the link was clicked through, the user's IP address, and the workload involved.

  5. Value: This information is valuable for security teams to create a list of potentially compromised users, prioritize actions like credential resets, and enhance user awareness. It also suggests cross-referencing with anomalous sign-in signals for further investigation.

  6. Tactics and Techniques: The query is associated with tactics like Initial Access and Execution, and techniques such as Phishing (T1566) and User Execution (T1204).

Overall, this query helps in transforming a broad phishing or malware campaign into a specific list of affected users, enabling targeted security responses.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEventsUrlClickEvents

Keywords

EmailEventsUrlClickEventsNetworkMessageIdRecipientEmailAddressSubjectThreatTypesTimestampAccountUpnUrlIsClickedThroughIPAddressWorkload

Operators

let|where>ago()has_any()projectjoinonsort bydesc

Tactics

InitialAccessExecution

MITRE Techniques

Actions

GitHub