Query Details

Risky Sign In After Email Url Click Event

Query

let loopback = 1h;
//Add your IPRange to minimize the Results
let OwnIPRange = "xx.xx.";
let UserClicks = UrlClickEvents
| where Timestamp > ago(loopback)
| where IPAddress !startswith (OwnIPRange)
| project TimestampUrlClick=Timestamp, AccountUpn;
AADSignInEventsBeta
| where isnotempty(RiskEventTypes) and isnotempty(RiskLevelDuringSignIn) 
| where ErrorCode == 0 
| join kind=inner UserClicks on AccountUpn
| where RiskLevelDuringSignIn >= 50
| where Timestamp > TimestampUrlClick

About this query

Risky SignIn after EmailUrlClickEvent

Query Information

MITRE ATT&CK Technique(s)

Description

This rule detects a highly suspicious sequence of events: a user clicking on a URL (potentially a phishing link) followed by a risky sign-in attempt to Azure AD from an IP address outside the organization's defined range. The rule specifically looks for sign-ins with a high-risk level (>= 50) that occur after a URL click event, suggesting a potential compromise initiated by a phishing attack.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially malicious activity involving phishing attacks. It looks for a sequence of events where a user clicks on a URL (which could be a phishing link) and then attempts to sign in to Azure Active Directory (Azure AD) from an IP address that is not part of the organization's known IP range. The sign-in attempt is flagged as risky if it has a risk level of 50 or higher, suggesting that the user's account might be compromised.

Here's a simplified breakdown of the query:

  1. Time Frame: The query examines events from the past hour (loopback = 1h).

  2. IP Filtering: It filters out any URL click events that originate from the organization's known IP range (OwnIPRange), focusing only on external IP addresses.

  3. URL Click Events: It collects data on URL click events, specifically the timestamp and user account involved.

  4. Risky Sign-In Events: It then looks at Azure AD sign-in events that have associated risk indicators and no error codes (successful sign-ins).

  5. Joining Events: The query joins the URL click events with the risky sign-in events based on the user account (AccountUpn).

  6. Risk Level Check: It filters for sign-in events with a risk level of 50 or higher.

  7. Sequence Check: Finally, it ensures that the risky sign-in event occurred after the URL click event, indicating a potential compromise following a phishing link click.

The goal of this query is to identify and alert on suspicious activity that could indicate a phishing attack leading to unauthorized access attempts.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 24, 2025

Tables

UrlClickEventsAADSignInEventsBeta

Keywords

UrlClickEventsTimestampIPAddressAccountUpnAADSignInBetaRiskEventTypesLevelDuringErrorCode

Operators

letagowhere!startswithprojectisnotemptyjoinon>=

MITRE Techniques

Actions

GitHub