Query Details
Potential Phishing Hosting Site URL Clicks
Query
//This query detects URL clicks to known phishing hosting sites
//Filters for allowed clicks to potentially malicious sites delivered to inbox or junk
//Excludes senders from your own domain
UrlClickEvents
| where Url has_any ("formstack.com", "drive.autodesk.com", "app.box.com", "app.simplified.com", "simplified.com", "surveymonkey.com", "drive.google.com")
| where ActionType contains "ClickAllowed"
| join EmailEvents on NetworkMessageId
| where DeliveryAction contains "Delivered" or DeliveryAction contains "Junked"
| where DeliveryLocation contains "Inbox" or DeliveryLocation contains "Junk"
| where SenderFromAddress !contains "example"
| where SenderFromAddress !contains "example" Explanation
This query is designed to identify instances where users have clicked on URLs that lead to known phishing sites. It specifically looks for clicks that were permitted on potentially harmful links found in emails that were delivered to either the inbox or junk folder. The query excludes any emails sent from within your own domain, "example."
Details
@KillaB0nez
Released: November 10, 2024
Tables
UrlClickEventsEmailEvents
Keywords
UrlClickEventsEmailEvents
Operators
has_anycontainsjoinonor!contains