MDO — Safe Links Click-Through to Malicious URL
MDO AR 01 Safe Links Click Through
Query
UrlClickEvents
| where Timestamp > ago(1h)
| where ActionType == "ClickAllowed" or (isnotempty(IsClickedThrough) and IsClickedThrough != "0")
| where ThreatTypes has_any ("Phish", "Malware")
| where isnotempty(AccountUpn)
| project Timestamp, ReportId, AccountUpn, Url, ThreatTypes, DetectionMethods,
IPAddress, IsClickedThrough, Workload, NetworkMessageIdExplanation
This query is designed to detect when a user clicks on a URL that has been classified as phishing or malware by Microsoft Defender for Office 365's Safe Links feature. Here's a simplified breakdown:
-
Purpose: The query identifies instances where users click on potentially harmful links, which are flagged as phishing or malware threats. This is considered a high-confidence indicator of a security compromise.
-
Data Source: It uses data from the
UrlClickEventstable, which logs events related to URL clicks. -
Time Frame: The query checks for events that occurred within the last hour.
-
Conditions:
- It looks for URLs that were either allowed to be clicked or where users clicked through a warning page.
- The URLs must be classified as either "Phish" or "Malware".
- The query ensures that the user's account information (
AccountUpn) is available.
-
Output: The query projects (selects) specific fields such as the timestamp of the event, user account, URL, threat type, detection methods, IP address, and more.
-
Alerting:
- If any such events are detected, an alert is generated with a high severity level.
- The alert includes details like the user's account and the type of threat.
- The alert message advises treating the event as a potential compromise, suggesting actions like reviewing sign-ins and resetting credentials.
-
Incident Management:
- The query is configured to create an incident for each alert.
- Incidents are grouped by user account to manage related alerts together.
- The system will not reopen closed incidents but will group new alerts with existing incidents if they occur within a 5-hour window.
Overall, this query helps security teams quickly identify and respond to potential security threats from malicious URLs clicked by users.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H