Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Enhanced threat detection with URL click alerts by Microsoft Defender for Office 365

Ajaj_Shaikh's avatar
Ajaj_Shaikh
Icon for Microsoft rankMicrosoft
Mar 21, 2023

One of the most frequent ways attackers target employees to compromise an organization is by sending them internet web links (aka URLs) embedded with malicious content or malware. Email remains the most common way attackers send messages to unsuspecting employees.

 

Recently, cybersecurity researchers/hunters have identified new trends in how URLs can be used to attack an organization, including but not limited to: in phishing attacks, URLs that download malicious attachment once user clicks on them, URLs with multiple redirections to bypass the security filters, or even URLs that are clean at the time of delivery, but are weaponized (e.g. delayed by time or selectively by the geo or time zone) after it is delivered to user’s inbox.  

 

To better protect against these types of threats, Microsoft Defender for Office 365 now features alerting policy enhancements to support the detection, investigation, and remediation of threats via URLs sent over email. With these enhancements, alerts are now capable of detecting threats at time of click and potential threats in the last 48 hours from the time of first click. 

There are two URL click alerts policies offered by Microsoft Defender for Office 365: 

 

1) A potentially malicious URL click was detected: 

Imagine a case where users in an organization have received an email with multiple URLs in it, some of them clean, but some of them could be malicious (i.e. clean at the time of delivery, but weaponized later). When a user clicks on one of the malicious URLs, Microsoft Defender for Office 365 runs a scan on that URL to identify if there are any threats associated with it in the past to build a “Good” or “Bad” reputation on that URL. If the system finds out that there has been an attack in the past using same URL, that email is marked as malicious and the security teams [This alert is part of the E5 or EOP+P2 SKU] are notified with and alert titled “A potentially malicious URL click was detected” with the details of the user, URL and all other associated details.  

 

Even if there were no identified threats earlier, when a user clicks again, the URL is scanned and validated to identify if there are any threats associated with that URL. In a new scan there are two possible cases: 

 

  1. a) First User-First Click (Patient Zero): Suppose an email has been sent to multiple users and user1 has clicked on it and systems finds out that URL is malicious in the scan and builds a bad reputation on that URL, in this case one alert will be generated for user1 who clicked on that URL and security teams will be notified with a malicious click happened by user1.  Similar alerts will be generated if another users clicks on the same URL later.

 

  1. b) Delayed weaponizing of the URL (Verdict flip from earlier good to now bad): Imagine a scenario where an email with the same URL send to users U1, U2, U3 and U4 and at the time of delivery it was clean, and system had no prior reputation on that URL. Now we have situation where multiple users have clicked on it at different times as following where T1 being the earliest click and T4 being the latest click - 

User 

U1 

U2 

U3 

U4 

Click ID 

C1 

C2 

C3 

C4 

Time of Click 

T1 

T2 (T1+1 hr) 

T3 (T2+1hr) 

T4 (T3+30 mins) 

 

In this scenario, up until C3 at time T3, all the scans on clicks C1, C2 and C3 were clean since the URL was clean. After C3, suppose the attacker weaponizes the URL in a way that all users who clicked on it may get impacted. After this incident, if U4 has clicked on the URL at T4 and we have identified the threat on the same URL, which is now weaponized, an alert will be generated for the user U4 with title “A potentially malicious URL click was detected” and at the same time the system will look back 48 hours from the time of click T4 to look for all the users who clicked on it, in this case U1, U2,U3 have clicked on it before U4, and alerts will be generated for the users U1, U2, U3 as well with title “A potentially malicious URL click was detected” to notify the security analysts about all the clicks on that URL in the past and potential threat associated with it. This will allow the security analysts to cover hunting scenarios for all the users involved in the attack and take appropriate remediation actions for those users.

 

 

2) A user clicked through to a potentially malicious URL:  

In the cases where the system identifies a URL to be potentially malicious and if any user clicks on that URL, a warning page is shown to the user with details of URL being potentially malicious and the user is given an option to still visit the page (if this setting is enabled in SafeLinks policy). In such case when user decides to visit the web page even though there was a warning and clicks on the option to visit (i.e. “clicks through” the warning sign), then security analysts are alerted with a system generated alert named “A user clicked through to a potentially malicious URL.” 

These alerting policy enhancements in Microsoft Defender for Office 365 provide an invaluable layer of protection against the ever-evolving tactics used by attackers in exploiting URLs sent via email. By alerting to threats at time-of-click, and monitoring potential threats in a 48 hour window following the first click, organizations can stay one step ahead of attackers. This not only bolsters an organization’s cybersecurity posture, but helps foster a sense of  confidence and security in employees and SecOps teams, knowing that their sensitive data and communications are safeguarded by a proactive and flexible defense system.

 

Updated Mar 28, 2023
Version 2.0
  • How can we best deal with false positives?

     

    We already received a few times a mass mailing containing a safe link which was deemed malicious while it was benign.

     

    Al our users had to click through the warning page (which we would like to avoid as much as possible). Is there a way to signal a safe link is not malicious? We tried submitting the link, but it didn't help.

  • ExMSW4319's avatar
    ExMSW4319
    Iron Contributor

    I really don't see the wisdom of permitting click-through. I know some domains have false positive issues. If one domain is persistently a problem for your organisation then you could exempt it from Safe Links entirely. If there is a risk associated with that domain then you may need to work out a mitigation, for example an element in paths in links from that domain that are specific to your organisation. You then set a mail flow rule to quarantine or Junk all mails with links for that domain unless they include your friendly path element.

     

    If your users are regularly seeing the red stop screen and are learning to dismiss it, then yes that's a trend that will end in disaster,  

  • Chris__S's avatar
    Chris__S
    Copper Contributor

    I've been getting a heap of these alerts recently, and while they're useful in theory - in practice they tend to be a notification that a suspect URL is in a campaign that our protection systems have sandboxed en-masse, reviewed and most likely dumped before the message got into any real mailbox.

     

    Is there any way you can expose the IP of the device that's marked as 'clicking'? If we could see the source of the click as well as the associated recipient, it would be much easier to ID if that's a real end user device. 

     

    If I see alerts that at 4.am 50+ people all followed a link, but from an IP in the same small block - I can quickly note it's the sandbox at work - the latter drawn from a swathe of alerts that landed last night. I'm pretty sure for a mostly office hours org, we don't have quite so many reading email and following links at that exact same time give or take a few milliseconds..

    (even better would then be to let us plug in the IP ranges of our known sandboxes so we could exclude reporting on them, unless we wanted to see how much work the protection layers are doing for us)

  • MichaelScott319's avatar
    MichaelScott319
    Copper Contributor

    Hello,
    I have one question where user want to know why A potentially malicious URL click was detected alert policy is getting delivered to Distribution Center list group even, the group is not added in recipients list. User is only an Exchange Admin and I know that tenant Admins are Global Admins. User has accepted that they are clicking on that link, but alert is getting delivered to DL group instead of specific members. What could be the reason here? Any response would be much appreciated. Thanks