Query Details

MDO Hunting - Kill Chain - Email to Click to Identity to Cloud

MDO 29 Kill Chain Email Click Identity Cloud

Query

let lookback = 7d;
let malicious =
    EmailEvents
    | where Timestamp > ago(lookback)
    | where ThreatTypes has_any ("Phish", "Malware") and DeliveryAction == "Delivered"
    | project NetworkMessageId, RecipientEmailAddress, Subject, ThreatTypes;
let clicks =
    UrlClickEvents
    | where Timestamp > ago(lookback)
    | join kind=inner malicious on NetworkMessageId
    | summarize ClickTime = min(Timestamp), Url = any(Url), Subject = any(Subject),
                ThreatTypes = any(ThreatTypes) by AccountUpn
    | where isnotempty(AccountUpn);
let cloud =
    CloudAppEvents
    | where Timestamp > ago(lookback)
    | where ActionType in ("New-InboxRule","Set-InboxRule","UpdateInboxRules",
                           "FileDownloaded","FileSyncDownloadedFull",
                           "Consent to application","Add-MailboxPermission")
    | summarize CloudActions = make_set(ActionType, 10), CloudActivityTime = min(Timestamp)
            by Upn = tolower(AccountDisplayName);
clicks
| extend Upn = tolower(AccountUpn)
| join kind=leftouter cloud on Upn
| extend Stage = case(
      isnotempty(CloudActivityTime), "4-CloudActivity (contain now)",
      "3-Clicked (identity-risk review)")
| project AccountUpn, ClickTime, Subject, ThreatTypes, Url,
          CloudActions, CloudActivityTime, Stage
| sort by Stage desc, ClickTime desc

Explanation

This query is designed to track and reconstruct the sequence of events in a phishing attack, from the initial email delivery to potential malicious activity in the cloud. Here's a simplified breakdown:

  1. Objective: The query aims to identify and document the stages of a phishing attack across different Microsoft security products. It tracks the journey from a malicious email being delivered, to a user clicking on a link, to risky or successful sign-ins, and finally to any suspicious cloud activities.

  2. Data Sources: It uses data from Microsoft Threat Protection, specifically focusing on:

    • Email events to detect delivered phishing or malware emails.
    • URL click events to identify when a user clicks on a potentially harmful link.
    • Cloud app events to monitor for suspicious activities like new inbox rules or file downloads.
  3. Process:

    • Malicious Emails: It first identifies emails marked as phishing or malware that were delivered within the last 7 days.
    • Clicks on Links: It then checks if any of these emails led to a user clicking on a link, correlating the click events with the malicious emails.
    • Cloud Activities: Finally, it looks for any suspicious cloud activities associated with the users who clicked on the links, such as changes to inbox rules or file downloads.
  4. Output: The query produces a list of users (victims) with details of the attack stages they experienced:

    • If cloud activity is detected, it labels the stage as "4-CloudActivity (contain now)" indicating an active compromise that needs immediate attention.
    • If only a click is detected, it labels the stage as "3-Clicked (identity-risk review)" suggesting a need for further investigation.
  5. Value: This query provides a comprehensive view of the attack chain, helping security teams quickly identify and respond to phishing attacks by connecting data across email, identity, and cloud services.

  6. Tactics and Techniques: It focuses on tactics like Initial Access, Execution, and Persistence, and techniques such as phishing (T1566), user execution (T1204), and account manipulation (T1098).

Overall, this query is a powerful tool for security investigations, offering a clear narrative of how a phishing attack progresses through different stages and enabling timely containment actions.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEventsUrlClickEventsCloudAppEvents

Keywords

EmailEventsUrlClickEventsCloudAppEventsNetworkMessageIdRecipientEmailAddressSubjectThreatTypesAccountUpnActionTypeAccountDisplayNameUpnTimestamp

Operators

letagohas_anyprojectwherejoinkind=innersummarizeminanyisnotemptyinmake_setbytolowerextendcasesortdesc

Tactics

InitialAccessExecutionPersistence

MITRE Techniques

Actions

GitHub