One of the most frequent ways attackers target employees to compromise an organization is by sending them internet web links (aka URLs) embedded with malicious content or malware. Email remains the most common way attackers send messages to unsuspecting employees.
Recently, cybersecurity researchers/hunters have identified new trends in how URLs can be used to attack an organization, including but not limited to: in phishing attacks, URLs that download malicious attachment once user clicks on them, URLs with multiple redirections to bypass the security filters, or even URLs that are clean at the time of delivery, but are weaponized (e.g. delayed by time or selectively by the geo or time zone) after it is delivered to user’s inbox.
To better protect against these types of threats, Microsoft Defender for Office 365 now features alerting policy enhancements to support the detection, investigation, and remediation of threats via URLs sent over email. With these enhancements, alerts are now capable of detecting threats at time of click and potential threats in the last 48 hours from the time of first click.
There are two URL click alerts policies offered by Microsoft Defender for Office 365:
1) A potentially malicious URL click was detected:
Imagine a case where users in an organization have received an email with multiple URLs in it, some of them clean, but some of them could be malicious (i.e. clean at the time of delivery, but weaponized later). When a user clicks on one of the malicious URLs, Microsoft Defender for Office 365 runs a scan on that URL to identify if there are any threats associated with it in the past to build a “Good” or “Bad” reputation on that URL. If the system finds out that there has been an attack in the past using same URL, that email is marked as malicious and the security teams [This alert is part of the E5 or EOP+P2 SKU] are notified with and alert titled “A potentially malicious URL click was detected” with the details of the user, URL and all other associated details.
Even if there were no identified threats earlier, when a user clicks again, the URL is scanned and validated to identify if there are any threats associated with that URL. In a new scan there are two possible cases:
- a) First User-First Click (Patient Zero): Suppose an email has been sent to multiple users and user1 has clicked on it and systems finds out that URL is malicious in the scan and builds a bad reputation on that URL, in this case one alert will be generated for user1 who clicked on that URL and security teams will be notified with a malicious click happened by user1. Similar alerts will be generated if another users clicks on the same URL later.
- b) Delayed weaponizing of the URL (Verdict flip from earlier good to now bad): Imagine a scenario where an email with the same URL send to users U1, U2, U3 and U4 and at the time of delivery it was clean, and system had no prior reputation on that URL. Now we have situation where multiple users have clicked on it at different times as following where T1 being the earliest click and T4 being the latest click -
User |
U1 |
U2 |
U3 |
U4 |
Click ID |
C1 |
C2 |
C3 |
C4 |
Time of Click |
T1 |
T2 (T1+1 hr) |
T3 (T2+1hr) |
T4 (T3+30 mins) |
In this scenario, up until C3 at time T3, all the scans on clicks C1, C2 and C3 were clean since the URL was clean. After C3, suppose the attacker weaponizes the URL in a way that all users who clicked on it may get impacted. After this incident, if U4 has clicked on the URL at T4 and we have identified the threat on the same URL, which is now weaponized, an alert will be generated for the user U4 with title “A potentially malicious URL click was detected” and at the same time the system will look back 48 hours from the time of click T4 to look for all the users who clicked on it, in this case U1, U2,U3 have clicked on it before U4, and alerts will be generated for the users U1, U2, U3 as well with title “A potentially malicious URL click was detected” to notify the security analysts about all the clicks on that URL in the past and potential threat associated with it. This will allow the security analysts to cover hunting scenarios for all the users involved in the attack and take appropriate remediation actions for those users.
2) A user clicked through to a potentially malicious URL:
In the cases where the system identifies a URL to be potentially malicious and if any user clicks on that URL, a warning page is shown to the user with details of URL being potentially malicious and the user is given an option to still visit the page (if this setting is enabled in SafeLinks policy). In such case when user decides to visit the web page even though there was a warning and clicks on the option to visit (i.e. “clicks through” the warning sign), then security analysts are alerted with a system generated alert named “A user clicked through to a potentially malicious URL.”
These alerting policy enhancements in Microsoft Defender for Office 365 provide an invaluable layer of protection against the ever-evolving tactics used by attackers in exploiting URLs sent via email. By alerting to threats at time-of-click, and monitoring potential threats in a 48 hour window following the first click, organizations can stay one step ahead of attackers. This not only bolsters an organization’s cybersecurity posture, but helps foster a sense of confidence and security in employees and SecOps teams, knowing that their sensitive data and communications are safeguarded by a proactive and flexible defense system.