Agent Foskett Academy • Lesson 45 • Investigating EmailUrlInfo

Investigating EmailUrlInfo in Microsoft Defender XDR

EmailUrlInfo records URL details extracted from emails processed by Microsoft Defender for Office 365.

It helps defenders answer a key investigation question: what URL was embedded, which message carried it, and where else did it appear?

In this lesson, you'll learn how to investigate URLs, domains, phishing links and email-delivered web threats using EmailUrlInfo.

Agent Foskett Academy lesson explaining EmailUrlInfo in Microsoft Defender XDR
Lesson overview

Learn how EmailUrlInfo helps defenders investigate URLs, domains and suspicious links extracted from email messages.

Review URL metadata
Hunt suspicious domains and links
Pivot into email and click evidence

Why EmailUrlInfo matters

EmailEvents tells you an email existed. EmailUrlInfo tells you what URLs were embedded inside it.
URLs often carry the lurePhishing investigations often turn on the URL, domain, message relationship and whether the link was later clicked.
URLs create pivotsURLs and domains allow defenders to search for the same lure across email, click and web-related telemetry.
NetworkMessageId connects the storyNetworkMessageId lets defenders join URL evidence back to EmailEvents, UrlClickEvents and post-delivery investigation tables.

Investigation scenario

A user received a suspicious email containing a link. EmailEvents showed the message. EmailUrlInfo identified the URL, its domain and whether the same link appeared elsewhere.
The email was suspiciousThe sender, subject and delivery action made the message worth investigating.
The URL became the evidenceThe URL and domain helped identify whether the link was unique, repeated or connected to other recipients.
The URL became the pivotOnce the URL was known, defenders could search click telemetry to see whether users interacted with the link.

Step 1 — Review recent email URL activity

Start with recent URL records and keep the fields that explain who received the message, what URL was present and which domain was involved.
emailurlinfo-recent-urls.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailAttachmentInfo
| where Timestamp > ago(7d)
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, SHA1, ThreatTypes
| order by Timestamp desc

Step 2 — Find common URLs and domains

Summarise URLs and domains to understand which links are appearing most often across email traffic.
emailurlinfo-common-urls.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailAttachmentInfo
| where Timestamp > ago(30d)
| summarize Messages = dcount(NetworkMessageId), Recipients = dcount(RecipientEmailAddress)
                            by FileName, FileType, SHA256
| top 50 by Messages desc

Step 3 — Hunt for suspicious URL patterns

Search for URL patterns that are commonly abused during phishing, credential theft, fake file shares and web-based payload delivery.
emailurlinfo-suspicious-patterns.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailAttachmentInfo
| where Timestamp > ago(14d)
| where FileName has_any (".iso", ".img", ".lnk", ".js", ".vbs", ".hta", ".scr", ".exe", ".zip")
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, ThreatTypes, NetworkMessageId
| order by Timestamp desc

Step 4 — Investigate URLs in one email message

When a message becomes interesting, filter by NetworkMessageId and list every URL connected to that email.
emailurlinfo-one-message.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
let TargetMessageId = "replace-with-network-message-id";
EmailAttachmentInfo
| where NetworkMessageId == TargetMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, SHA1, ThreatTypes
| order by Timestamp asc

Step 5 — Join URLs back to EmailEvents

Join EmailUrlInfo to EmailEvents so URL evidence can be viewed beside the message subject, delivery action and threat classification.
emailurlinfo-join-emailevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailAttachmentInfo
| where Timestamp > ago(7d)
| join kind=leftouter (
                            EmailEvents
    | where Timestamp > ago(7d)
    | project NetworkMessageId, Subject, DeliveryAction, ThreatTypes, EmailDirection
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject,
          DeliveryAction, FileName, FileType, SHA256, ThreatTypes
| order by Timestamp desc

Step 6 — Pivot from email URL to UrlClickEvents

Use URL evidence to search UrlClickEvents and determine whether a user clicked a link from an email message.
emailurlinfo-pivot-to-urlclickevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
let AttachmentHashes = EmailAttachmentInfo
| where Timestamp > ago(7d)
| where isnotempty(SHA256)
| distinct SHA256;
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (AttachmentHashes)
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc

Common investigation uses

EmailAttachmentInfo is most useful when defenders need to move from a suspicious message to the file evidence carried by that message.
Investigate phishing linksReview URLs, domains and threat classifications connected to suspicious emails and phishing campaigns.
Track repeated linksUse URL and domain values to find the same link across multiple recipients, senders or messages.
Connect email to click activityPivot from EmailUrlInfo into UrlClickEvents to check whether a user clicked the link.

Common mistakes

Attachment investigations can go wrong when defenders stop at the email and never follow the file evidence.
Only reading the subject lineThe subject may look harmless while the embedded URL or domain tells a different story.
Ignoring the domainThe display text may change, but the URL domain can reveal the same phishing infrastructure across multiple messages.
Not joining tablesEmailUrlInfo becomes much stronger when joined to EmailEvents, UrlClickEvents and EmailPostDeliveryEvents.
EmailUrlInfo is where suspicious email becomes link evidence.
Use it to identify the embedded URL, review the domain and follow the link across the wider incident timeline.
Back to Academy →

What you learned

EmailUrlInfo records URL metadataYou can use it to review URLs, domains, recipients and message identifiers.
NetworkMessageId connects the email storyYou can join URL records back to EmailEvents and UrlClickEvents.
URLs support wider pivotsEmail URLs can help defenders search click telemetry and identify whether a user interacted with a suspicious link.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with the message metadata before reviewing the URLs connected to the email.
Investigating UrlClickEventsReview whether users clicked links connected to suspicious email activity.
Investigating DeviceFileEventsPivot from suspicious links into user click activity and Safe Links outcomes.
Investigating AlertEvidenceConnect alerts to the email, URLs, users and devices involved in an investigation.
Connecting Tables with joinJoin EmailUrlInfo to EmailEvents and click telemetry.
Building Investigation TimelinesTurn email, URL and click evidence into a clear incident timeline.
Using has_anySearch for multiple suspicious URL terms, domains and indicators.
Extracting Evidence with extract()Extract useful indicators from URLs, subjects and email-related fields.

Coming next

Lesson 46 — Investigating CloudAppEvents in Microsoft Defender XDRNext, Agent Foskett Academy will move into CloudAppEvents, helping defenders investigate cloud app activity, user actions and suspicious behaviour across Microsoft 365 services.
Why this mattersAfter investigating email links, defenders also need to understand what users did inside cloud applications after authentication and access.
What you will learn nextLearn how to review cloud app activity, user actions, workloads, IP addresses and suspicious cloud behaviour.

Final thought

EmailUrlInfo turns the email from a message into a link trail you can follow.
Agent Foskett mindsetDo not stop at the inbox. Capture the URL, identify the domain, connect the message and follow the click trail wherever it leads next.
Follow the fileA suspicious URL may start in email, but the real story often continues in click and web telemetry.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating EmailUrlInfo in Microsoft Defender XDR

Agent Foskett Academy Lesson 45 teaches defenders how to use EmailUrlInfo to investigate email URLs, suspicious domains, phishing links and web-based attack evidence in Microsoft Defender XDR.

Learn EmailUrlInfo for Microsoft Defender XDR hunting

This lesson explains how EmailUrlInfo supports Microsoft Defender XDR investigations by helping defenders review URL metadata, join email evidence, track suspicious links and pivot into click telemetry.