KQL Search

Query Details

HomeAI ToolsDevice Query

MDO Blocked UR Ls

Query

# Defender for Office 365 - Blocked URLs

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title                      | Link                                                         |
| ---          | ---                        | ---                                                          |
| T1566        | Phishing                   | [https://attack.mitre.org/techniques/T1566/](https://attack.mitre.org/techniques/T1566/) |
| T1566.002    | Spearphishing Link         | [https://attack.mitre.org/techniques/T1566/002/](https://attack.mitre.org/techniques/T1566/002/) |

### Description

Use the below querys to find the domains of URLs that were blocked

### Defender XDR

```kql
UrlClickEvents
| where TimeGenerated > ago(90d)
| where ActionType == "ClickBlocked"
| where DetectionMethods has_any ("URL")
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated, TLD, Domain,IPAddress, ThreatTypes,DetectionMethods, IsClickedThrough,Url
```

```kql
EmailEvents
| where DeliveryAction == "Blocked"
| where DetectionMethods has_any ("URL","domain")
| join EmailUrlInfo
on $left.NetworkMessageId == $right.NetworkMessageId
| extend Domain = extract(@"[^.]+\.[^.]+$",0, extract(@"^(?:https?://)?([^/]+)",1,Url))
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,Domain,typeof(string)),".")[1])
| project TimeGenerated,TLD, Domain, ThreatTypes, ThreatNames, DetectionMethods, SenderFromDomain, Url
```

Explanation

This query is designed to identify and list domains from URLs that were blocked by Microsoft Defender for Office 365 due to potential phishing threats. It focuses on two specific MITRE ATT&CK techniques related to phishing.

Here's a simplified breakdown of what each part of the query does:

  1. UrlClickEvents Query:

    • Time Frame: Looks at URL click events from the last 90 days.
    • Action Type: Filters for events where the action taken was "ClickBlocked," meaning the URL was blocked when someone tried to click it.
    • Detection Method: Ensures that the detection method involved URLs.
    • Domain Extraction: Extracts the domain from the URL, focusing on the main part of the domain (e.g., "example.com").
    • TLD Extraction: Extracts the top-level domain (TLD) from the domain (e.g., "com").
    • Output: Displays the time the event was generated, the TLD, the domain, IP address, threat types, detection methods, whether the URL was clicked through, and the URL itself.

  2. EmailEvents Query:

    • Delivery Action: Filters for email events where the delivery action was "Blocked," indicating the email was blocked.
    • Detection Method: Ensures that the detection method involved URLs or domains.
    • Join with EmailUrlInfo: Combines data from email events with URL information based on a common identifier (NetworkMessageId).
    • Domain and TLD Extraction: Similar to the first query, it extracts the domain and TLD from the URL.
    • Output: Displays the time the event was generated, the TLD, the domain, threat types, threat names, detection methods, the sender's domain, and the URL.

Overall, these queries help security analysts identify potentially malicious domains and URLs that were blocked, providing insights into phishing attempts and enhancing threat detection and response efforts.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 5, 2025

Tables

UrlClickEventsEmailEventsEmailUrlInfo

Keywords

DefenderOfficeUrlsDomainsEmailNetworkThreatsSender

Operators

agohas_anyextracttostringsplitprojectwherejoinonextend

Actions