Safe Links - Report on users to have attempted to click on a malicious link

%3CLINGO-SUB%20id%3D%22lingo-sub-738921%22%20slang%3D%22en-US%22%3ESafe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738921%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20How%20can%20I%20find%20out%20who%20has%20clicked%20on%20a%20link%20that%20was%20blocked%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20an%20obvious%20spam%20email%20doing%20the%20rounds%2C%20and%20I'd%20like%20to%20know%20who%20has%20fallen%20for%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-738921%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738986%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738986%22%20slang%3D%22en-US%22%3EThat%E2%80%99s%20right!%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20if%20you%20have%20specific%20users%20you%20think%20clicked%20through%20have%20you%20tried%20the%20full%20command%20as%20shown%20in%20the%20example%20for%20particular%20users%20-%3CBR%20%2F%3E%3CBR%20%2F%3EGet-UrlTrace%20-RecipientAddress%20%22michelle%40contoso.com%22%20-StartDate%20%225%2F9%2F2016%22%20-EndDate%20%225%2F11%2F2016%22%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738982%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738982%22%20slang%3D%22en-US%22%3EBe%20aware%20that%20this%20command%20only%20goes%207%20days%20back!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738981%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738981%22%20slang%3D%22en-US%22%3EThanks%20Chris%2C%20I%E2%80%99ve%20run%20that%20command%2C%20but%20still%20not%20getting%20the%20results.%20There%E2%80%99s%20some%20users%20whom%20I%20know%20got%20the%20blocking%20page%2C%20but%20they%20didn%E2%80%99t%20show%20up%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738980%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738980%22%20slang%3D%22en-US%22%3EThanks%20Adam.%20I%E2%80%99ve%20had%20a%20look%20through%20the%20dashboards%2C%20but%20can%E2%80%99t%20find%20any%20reports%20that%20specifically%20list%20the%20users%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738945%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738945%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330305%22%20target%3D%22_blank%22%3E%40Antonio13286%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20use%20Get-UrlTrace%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fget-urltrace%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fget-urltrace%3Fview%3Dexchange-ps%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20described%20in%20the%20article%2C%20this%20is%20designed%20to%20determine%20who%20clicked%20through%20to%20a%20malicious%20web%20site%20in%20the%20past%207%20days.%20To%20note%2C%20it%E2%80%99s%20currently%20limited%20to%207%20days%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738944%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738944%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EHere%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fview-reports-for-atp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fview-reports-for-atp%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
New Contributor

Hi - How can I find out who has clicked on a link that was blocked?

 

There was an obvious spam email doing the rounds, and I'd like to know who has fallen for it?

 

Thanks

 

6 Replies
Hi @Antonio13286,

You can use Get-UrlTrace

https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/get-urltrace?...

As described in the article, this is designed to determine who clicked through to a malicious web site in the past 7 days. To note, it’s currently limited to 7 days

Hope that answers your question!

Best, Chris
Thanks Adam. I’ve had a look through the dashboards, but can’t find any reports that specifically list the users?
Thanks Chris, I’ve run that command, but still not getting the results. There’s some users whom I know got the blocking page, but they didn’t show up?
Be aware that this command only goes 7 days back!
That’s right!

And if you have specific users you think clicked through have you tried the full command as shown in the example for particular users -

Get-UrlTrace -RecipientAddress "michelle@contoso.com" -StartDate "5/9/2016" -EndDate "5/11/2016"

Best, Chris