Safe Links - Report on users to have attempted to click on a malicious link

%3CLINGO-SUB%20id%3D%22lingo-sub-738921%22%20slang%3D%22en-US%22%3ESafe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738921%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20How%20can%20I%20find%20out%20who%20has%20clicked%20on%20a%20link%20that%20was%20blocked%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20an%20obvious%20spam%20email%20doing%20the%20rounds%2C%20and%20I'd%20like%20to%20know%20who%20has%20fallen%20for%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-738921%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738986%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738986%22%20slang%3D%22en-US%22%3EThat%E2%80%99s%20right!%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20if%20you%20have%20specific%20users%20you%20think%20clicked%20through%20have%20you%20tried%20the%20full%20command%20as%20shown%20in%20the%20example%20for%20particular%20users%20-%3CBR%20%2F%3E%3CBR%20%2F%3EGet-UrlTrace%20-RecipientAddress%20%22michelle%40contoso.com%22%20-StartDate%20%225%2F9%2F2016%22%20-EndDate%20%225%2F11%2F2016%22%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738982%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738982%22%20slang%3D%22en-US%22%3EBe%20aware%20that%20this%20command%20only%20goes%207%20days%20back!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738981%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738981%22%20slang%3D%22en-US%22%3EThanks%20Chris%2C%20I%E2%80%99ve%20run%20that%20command%2C%20but%20still%20not%20getting%20the%20results.%20There%E2%80%99s%20some%20users%20whom%20I%20know%20got%20the%20blocking%20page%2C%20but%20they%20didn%E2%80%99t%20show%20up%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738980%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738980%22%20slang%3D%22en-US%22%3EThanks%20Adam.%20I%E2%80%99ve%20had%20a%20look%20through%20the%20dashboards%2C%20but%20can%E2%80%99t%20find%20any%20reports%20that%20specifically%20list%20the%20users%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738945%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738945%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330305%22%20target%3D%22_blank%22%3E%40Antonio13286%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20use%20Get-UrlTrace%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fget-urltrace%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fadvanced-threat-protection%2Fget-urltrace%3Fview%3Dexchange-ps%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20described%20in%20the%20article%2C%20this%20is%20designed%20to%20determine%20who%20clicked%20through%20to%20a%20malicious%20web%20site%20in%20the%20past%207%20days.%20To%20note%2C%20it%E2%80%99s%20currently%20limited%20to%207%20days%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738944%22%20slang%3D%22en-US%22%3ERe%3A%20Safe%20Links%20-%20Report%20on%20users%20to%20have%20attempted%20to%20click%20on%20a%20malicious%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738944%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EHere%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fview-reports-for-atp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fview-reports-for-atp%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi - How can I find out who has clicked on a link that was blocked?

 

There was an obvious spam email doing the rounds, and I'd like to know who has fallen for it?

 

Thanks

 

6 Replies
Highlighted
Hi @Antonio13286,

You can use Get-UrlTrace

https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/get-urltrace?...

As described in the article, this is designed to determine who clicked through to a malicious web site in the past 7 days. To note, it’s currently limited to 7 days

Hope that answers your question!

Best, Chris
Highlighted
Thanks Adam. I’ve had a look through the dashboards, but can’t find any reports that specifically list the users?
Highlighted
Thanks Chris, I’ve run that command, but still not getting the results. There’s some users whom I know got the blocking page, but they didn’t show up?
Highlighted
Be aware that this command only goes 7 days back!
Highlighted
That’s right!

And if you have specific users you think clicked through have you tried the full command as shown in the example for particular users -

Get-UrlTrace -RecipientAddress "michelle@contoso.com" -StartDate "5/9/2016" -EndDate "5/11/2016"

Best, Chris