MDO Hunting - Users Who Clicked Later-Confirmed Malicious Mail
MDO 06 Users Clicked Confirmed Malicious
Query
let MaliciousMail =
EmailEvents
| where Timestamp > ago(14d)
| where ThreatTypes has_any ("Phish", "Malware")
| project NetworkMessageId, RecipientEmailAddress, Subject, ThreatTypes;
UrlClickEvents
| where Timestamp > ago(14d)
| join kind=inner MaliciousMail on NetworkMessageId
| project Timestamp, AccountUpn, Url, Subject, ThreatTypes, IsClickedThrough,
IPAddress, Workload
| sort by Timestamp descExplanation
This query is designed to identify users who have clicked on links in emails that were identified as malicious, either at the time of receipt or later. Here's a simplified breakdown:
-
Purpose: The query aims to correlate email events with URL click events to identify users who interacted with potentially harmful emails. This helps in pinpointing individuals who might be at risk due to phishing or malware campaigns.
-
Data Sources: It uses data from Microsoft Threat Protection, specifically focusing on two types of events:
- EmailEvents: Information about emails, including their threat status.
- UrlClickEvents: Information about URLs clicked within emails.
-
Process:
- First, it filters email events from the last 14 days to find those marked as "Phish" or "Malware."
- It then joins this data with URL click events from the same period, matching them based on a unique identifier (NetworkMessageId).
- The result is a list of users who clicked on links in these malicious emails.
-
Output: The query provides details such as the timestamp of the click, the user's account identifier (AccountUpn), the URL clicked, email subject, threat types, whether the link was clicked through, the user's IP address, and the workload involved.
-
Value: This information is valuable for security teams to create a list of potentially compromised users, prioritize actions like credential resets, and enhance user awareness. It also suggests cross-referencing with anomalous sign-in signals for further investigation.
-
Tactics and Techniques: The query is associated with tactics like Initial Access and Execution, and techniques such as Phishing (T1566) and User Execution (T1204).
Overall, this query helps in transforming a broad phishing or malware campaign into a specific list of affected users, enabling targeted security responses.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics