Agent Foskett Academy • Lesson 77 • Phishing Investigation

Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR.

The phishing email had been delivered.

Several users received it.

Some ignored it.

Others clicked the link.

Agent Foskett had email evidence in one table and click evidence in another.

To understand the full attack, he needed to bring EmailEvents and UrlClickEvents together.

Agent Foskett Academy lesson correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR
Lesson overview

Learn how defenders correlate EmailEvents and UrlClickEvents to connect email delivery, recipient exposure, URL clicks, Safe Links outcomes and complete phishing investigation timelines.

Join email and click evidence
Identify users who clicked
Review Safe Links outcomes
Build complete phishing timelines

Why correlation matters

EmailEvents explains what arrived. UrlClickEvents explains what users did after the message was delivered.
EmailEvents shows deliveryUse EmailEvents to identify the sender, recipient, subject, delivery action and message identifiers.
UrlClickEvents shows interactionUse UrlClickEvents to identify who clicked, which URL was accessed, whether Safe Links was involved and what action Microsoft recorded.
Together they show the incidentCorrelation helps defenders move from message delivery to user behaviour and prioritise accounts that require urgent review.

The fields used in this lesson

NetworkMessageIdThe shared message identifier commonly used to correlate EmailEvents with UrlClickEvents.
RecipientEmailAddressThe mailbox that received the suspicious message.
AccountUpnThe user account associated with the URL click event.
UrlThe URL clicked by the user.
ActionTypeWhat Microsoft Defender recorded when the user clicked the link.
IsClickedThroughWhether the user continued beyond Microsoft Defender Safe Links protection.

Step 1 — Review suspicious email delivery

Start with EmailEvents to identify the message, recipients and delivery outcomes.
review-suspicious-email-delivery.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where Subject contains "Password"
| project Timestamp,
          NetworkMessageId,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction
| order by Timestamp desc

Step 2 — Join EmailEvents with UrlClickEvents

Use NetworkMessageId to connect the email record with the URL click record.
join-emailevents-urlclickevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          ActionType
| order by Timestamp desc

Step 3 — Find users who clicked

This query shows recipients who also generated URL click activity for the same message.
users-who-clicked.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| summarize Clicks = count(),
            URLs = make_set(Url)
          by RecipientEmailAddress,
             AccountUpn,
             Subject
| order by Clicks desc

Step 4 — Identify users who clicked through

IsClickedThrough helps prioritise users who may have reached the phishing destination.
clicked-through-users.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| where IsClickedThrough == true
| project Timestamp,
          RecipientEmailAddress,
          AccountUpn,
          Subject,
          Url,
          ActionType

Step 5 — Build a phishing investigation timeline

Sort the joined evidence by time to show delivery, user interaction and Safe Links outcomes together.
phishing-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          UrlChain,
          IsClickedThrough,
          ActionType
| order by Timestamp asc

Step 6 — Count exposed users and clickers

Compare message recipients with users who clicked to understand exposure versus interaction.
recipient-click-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| join kind=leftouter UrlClickEvents on NetworkMessageId
| summarize Recipients = dcount(RecipientEmailAddress),
            Clickers = dcount(AccountUpn)
          by Subject,
             SenderFromAddress
| order by Clickers desc

How to read the results

Joined results should be reviewed as a timeline, not as isolated rows.
Delivery is not impactA delivered email matters, but the impact changes when a user clicks, continues or reaches the final destination.
Clickers need priorityUsers who generated allowed or clicked-through events usually require faster account and sign-in review.
Identifiers matterNetworkMessageId, InternetMessageId and ReportId help keep email and click evidence aligned.

Common investigation uses

Phishing campaign scopingIdentify who received the message and who interacted with the malicious link.
Credential compromise reviewPrioritise users who clicked through Safe Links and then check Entra ID sign-in activity.
Incident timeline buildingShow when the email arrived, when the user clicked and what Defender recorded at each stage.
Security control validationCompare delivery, click activity, Safe Links outcomes and post-click behaviour.

Common mistakes

Looking at EmailEvents onlyEmail delivery does not prove impact. UrlClickEvents shows whether users interacted with the lure.
Ignoring unmatched recipientsUsers who received the message but did not click still matter for scoping and user communication.
Forgetting time orderAlways sort the evidence into a timeline so delivery, click and follow-up activity make sense.

What you learned

Email and click evidence belong togetherJoining tables helps defenders see the complete phishing story.
NetworkMessageId is the pivotThis identifier commonly connects EmailEvents and UrlClickEvents during phishing investigations.
Clickers drive response priorityAllowed clicks and click-through activity often determine which users need urgent investigation.

Related Agent Foskett Academy lessons

Advanced UrlClickEvents InvestigationsUnderstand how defenders investigate user link clicks in Microsoft Defender XDR.
Investigating UrlChainFollow redirect chains from the clicked URL to the final destination.
Investigating IsClickedThroughDetermine whether users continued through Safe Links protection.
Investigating ActionType in UrlClickEventsUnderstand how Defender recorded click outcomes.
Investigating NetworkMessageIdUse message identifiers to connect related evidence.
Investigating RecipientEmailAddressIdentify who received the suspicious message.

Coming next

Lesson 78 — Investigating EmailAttachmentInfo in Microsoft Defender XDRNext, Agent Foskett Academy will investigate malicious attachments, file names, hashes and attachment-based phishing campaigns in Microsoft Defender XDR.
Why this mattersSome phishing attacks rely on links. Others rely on attachments. EmailAttachmentInfo helps defenders follow the file evidence.

Final thought

A phishing investigation is not complete until defenders know who received the message and who interacted with it.
Agent Foskett mindsetDo not stop at the email. Follow the click evidence and build the complete timeline.
Follow the user actionThe email explains the lure. UrlClickEvents explains the user behaviour.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 77 teaches defenders how to correlate EmailEvents and UrlClickEvents during Microsoft Defender XDR phishing investigations.

Build complete phishing investigation timelines

This lesson explains how EmailEvents, UrlClickEvents, NetworkMessageId, RecipientEmailAddress, AccountUpn, Url, UrlChain, IsClickedThrough and ActionType help defenders connect email delivery with user click evidence.