MDO Hunting - Campaign Exposure (Delivered + Clicked)
MDO 16 Campaign Exposure Delivered Clicked
Query
let Campaigns =
EmailEvents
| where Timestamp > ago(14d)
| where isnotempty(EmailClusterId)
| where ThreatTypes has_any ("Phish", "Malware")
| project NetworkMessageId, EmailClusterId, Subject, ThreatTypes, RecipientEmailAddress;
UrlClickEvents
| where Timestamp > ago(14d)
| join kind=inner Campaigns on NetworkMessageId
| summarize
Clicks = count(),
ClickThrough = countif(IsClickedThrough != "" and IsClickedThrough != "0"),
Victims = dcount(AccountUpn),
VictimList = make_set(AccountUpn, 40),
Urls = make_set(Url, 10),
LastClick = max(Timestamp)
by EmailClusterId, ThreatTypes
| sort by Victims descExplanation
This query is designed to identify and prioritize email campaigns that have successfully reached and engaged users by tracking malicious email clusters and subsequent user interactions with potentially harmful links. Here's a simplified breakdown:
-
Purpose: The query aims to identify email campaigns that not only reached users but also had links that were clicked, indicating real user exposure to potential threats.
-
Data Sources: It uses data from Microsoft Threat Protection, specifically focusing on
EmailEventsandUrlClickEvents. -
Time Frame: The analysis considers events from the past 14 days.
-
Process:
- Email Campaign Identification: It first filters email events to find those with a cluster ID and associated with phishing or malware threats.
- User Interaction Tracking: It then joins these email events with URL click events to find instances where users clicked on links from these emails.
-
Output:
- Clicks: Total number of clicks on links from these campaigns.
- Click Throughs: Number of clicks that led to further interaction (not just a click but a follow-through).
- Victims: Number of unique users who clicked on these links.
- Victim List: A list of up to 40 users who clicked on the links.
- Urls: A list of up to 10 URLs that were clicked.
- Last Click: The most recent time a link was clicked.
-
Prioritization: The results are sorted by the number of victims, highlighting the most impactful campaigns that require immediate attention for user awareness and potential account resets.
In essence, this query helps security teams focus on the most dangerous email campaigns by identifying those that have successfully engaged users, thereby prioritizing response efforts.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics