KQL Search

Query Details

HomeAI ToolsDevice Query

Risky Sign In After Email Url Click Event

Query

# *Risky SignIn after EmailUrlClickEvent*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |
| TA001 | Initial Access | https://attack.mitre.org/tactics/TA0001/ |

#### Description
This rule detects a highly suspicious sequence of events: a user clicking on a URL (potentially a phishing link) followed by a risky sign-in attempt to Azure AD from an IP address outside the organization's defined range. The rule specifically looks for sign-ins with a high-risk level (>= 50) that occur after a URL click event, suggesting a potential compromise initiated by a phishing attack.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 

## Defender XDR
```KQL
let loopback = 1h;
//Add your IPRange to minimize the Results
let OwnIPRange = "xx.xx.";
let UserClicks = UrlClickEvents
| where Timestamp > ago(loopback)
| where IPAddress !startswith (OwnIPRange)
| project TimestampUrlClick=Timestamp, AccountUpn;
AADSignInEventsBeta
| where isnotempty(RiskEventTypes) and isnotempty(RiskLevelDuringSignIn) 
| where ErrorCode == 0 
| join kind=inner UserClicks on AccountUpn
| where RiskLevelDuringSignIn >= 50
| where Timestamp > TimestampUrlClick
```

Explanation

This query is designed to detect potentially malicious activity involving phishing attacks. It looks for a sequence of events where a user clicks on a URL (which could be a phishing link) and then attempts to sign in to Azure Active Directory (Azure AD) from an IP address that is not part of the organization's known IP range. The sign-in attempt is flagged as risky if it has a risk level of 50 or higher, suggesting that the user's account might be compromised.

Here's a simplified breakdown of the query:

  1. Time Frame: The query examines events from the past hour (loopback = 1h).

  2. IP Filtering: It filters out any URL click events that originate from the organization's known IP range (OwnIPRange), focusing only on external IP addresses.

  3. URL Click Events: It collects data on URL click events, specifically the timestamp and user account involved.

  4. Risky Sign-In Events: It then looks at Azure AD sign-in events that have associated risk indicators and no error codes (successful sign-ins).

  5. Joining Events: The query joins the URL click events with the risky sign-in events based on the user account (AccountUpn).

  6. Risk Level Check: It filters for sign-in events with a risk level of 50 or higher.

  7. Sequence Check: Finally, it ensures that the risky sign-in event occurred after the URL click event, indicating a potential compromise following a phishing link click.

The goal of this query is to identify and alert on suspicious activity that could indicate a phishing attack leading to unauthorized access attempts.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 24, 2025

Tables

UrlClickEventsAADSignInEventsBeta

Keywords

UrlClickEventsTimestampIPAddressAccountUpnAADSignInEventsBetaRiskEventTypesRiskLevelDuringSignInErrorCode

Operators

letagowhere!startswithprojectisnotemptyjoinon>=

Actions