Investigating EmailUrlInfo in Microsoft Defender XDR
EmailUrlInfo records URL details extracted from emails processed by Microsoft Defender for Office 365.
It helps defenders answer a key investigation question: what URL was embedded, which message carried it, and where else did it appear?
In this lesson, you'll learn how to investigate URLs, domains, phishing links and email-delivered web threats using EmailUrlInfo.
Lesson overview
Learn how EmailUrlInfo helps defenders investigate URLs, domains and suspicious links extracted from email messages.
Why EmailUrlInfo matters
Investigation scenario
Step 1 — Review recent email URL activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailAttachmentInfo | where Timestamp > ago(7d) | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, FileName, FileType, SHA256, SHA1, ThreatTypes | order by Timestamp desc
Step 2 — Find common URLs and domains
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailAttachmentInfo | where Timestamp > ago(30d) | summarize Messages = dcount(NetworkMessageId), Recipients = dcount(RecipientEmailAddress) by FileName, FileType, SHA256 | top 50 by Messages desc
Step 3 — Hunt for suspicious URL patterns
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
EmailAttachmentInfo | where Timestamp > ago(14d) | where FileName has_any (".iso", ".img", ".lnk", ".js", ".vbs", ".hta", ".scr", ".exe", ".zip") | project Timestamp, SenderFromAddress, RecipientEmailAddress, FileName, FileType, SHA256, ThreatTypes, NetworkMessageId | order by Timestamp desc
Step 4 — Investigate URLs in one email message
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
let TargetMessageId = "replace-with-network-message-id"; EmailAttachmentInfo | where NetworkMessageId == TargetMessageId | project Timestamp, SenderFromAddress, RecipientEmailAddress, FileName, FileType, SHA256, SHA1, ThreatTypes | order by Timestamp asc
Step 5 — Join URLs back to EmailEvents
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailAttachmentInfo | where Timestamp > ago(7d) | join kind=leftouter ( EmailEvents | where Timestamp > ago(7d) | project NetworkMessageId, Subject, DeliveryAction, ThreatTypes, EmailDirection ) on NetworkMessageId | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, FileName, FileType, SHA256, ThreatTypes | order by Timestamp desc
Step 6 — Pivot from email URL to UrlClickEvents
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
let AttachmentHashes = EmailAttachmentInfo | where Timestamp > ago(7d) | where isnotempty(SHA256) | distinct SHA256; DeviceFileEvents | where Timestamp > ago(7d) | where SHA256 in (AttachmentHashes) | project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessAccountName | order by Timestamp desc
