Agent Foskett Academy • Lesson 75 • URL Click Investigation

Investigating IsClickedThrough in Microsoft Defender XDR.

The phishing email was delivered.

The user clicked the embedded link.

Microsoft Defender Safe Links inspected the destination.

But Agent Foskett needed to answer the question that mattered most.

Did the user stop at the warning, or continue through to the destination?

The answer was hidden inside IsClickedThrough.

Agent Foskett Academy lesson explaining IsClickedThrough in Microsoft Defender XDR
Lesson overview

Learn how to investigate IsClickedThrough in UrlClickEvents and determine whether users continued through Safe Links protection to reach a destination.

Review click-through activity
Identify users who proceeded
Compare Safe Links outcomes
Prioritise risky user behaviour

Why IsClickedThrough matters

A click alone does not always mean compromise. IsClickedThrough helps defenders understand whether a user continued beyond Microsoft Defender Safe Links protection.
It separates clicks from exposure A user may click a link but stop at the Safe Links warning. IsClickedThrough helps show whether they went further.
It prioritises response Users who clicked through to a suspicious destination may need faster password reset, session review and sign-in investigation.
It explains user behaviour This field helps defenders understand whether users obeyed warnings or continued through protection during a phishing event.

The fields used in this lesson

IsClickedThrough Indicates whether the user continued through Safe Links protection to reach the destination.
ActionType The click outcome recorded by Microsoft Defender Safe Links.
Url The URL involved in the click event.
AccountUpn The user account associated with the click activity.
UrlChain The redirect path followed during the click event.
NetworkMessageId Used to correlate click activity back to the email that delivered the link.

Step 1 — Review IsClickedThrough activity

Start by reviewing recent click records where IsClickedThrough is present.
review-isclickedthrough.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          IsClickedThrough
| order by Timestamp desc

Step 2 — Find users who clicked through

Focus on users who continued through protection because they may represent higher-risk exposure.
users-clicked-through.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| where IsClickedThrough == true
| project Timestamp,
          AccountUpn,
          Url,
          ActionType
| order by Timestamp desc

Step 3 — Summarise click-through outcomes

Count click-through behaviour to understand how many users stopped and how many continued.
summarise-clickthrough.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
UrlClickEvents
| where Timestamp > ago(30d)
| summarize Clicks = count(),
            Users = dcount(AccountUpn)
          by IsClickedThrough
| order by Clicks desc

Step 4 — Investigate suspicious login URLs

Search for login-themed URLs and review whether users continued through Safe Links.
login-clickthrough.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
UrlClickEvents
| where Timestamp > ago(30d)
| where Url contains "login"
| project Timestamp,
          AccountUpn,
          Url,
          UrlChain,
          ActionType,
          IsClickedThrough
| order by Timestamp desc

Step 5 — Correlate clicks with email delivery

Use NetworkMessageId to connect click-through activity back to the message that delivered the link.
email-clickthrough-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| join kind=inner UrlClickEvents on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          ActionType,
          IsClickedThrough
| order by Timestamp desc

Step 6 — Find users who clicked through more than once

Repeated click-through behaviour can identify users who may need urgent investigation or awareness support.
repeat-clickthrough-users.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| where IsClickedThrough == true
| summarize ClickThroughs = count(),
            FirstClick = min(Timestamp),
            LastClick = max(Timestamp)
          by AccountUpn
| order by ClickThroughs desc

How to read the results

IsClickedThrough should be treated as exposure evidence. It becomes much stronger when reviewed with Safe Links action, URL chain and email context.
True requires attention A true value suggests the user continued through protection and may have reached the destination.
False still matters A false value does not mean the campaign was safe. It means the user did not continue through that click path.
ActionType completes the picture Review IsClickedThrough alongside ActionType to understand whether the click was allowed, blocked, warned or otherwise handled.

Common investigation uses

Credential phishing Identify users who may have reached credential harvesting pages after Safe Links inspection.
User behaviour review Understand whether users followed security warnings or continued through to suspicious destinations.
Incident prioritisation Prioritise response for users who clicked through to suspicious or malicious destinations.
Post-click investigation Use click-through evidence to decide whether to review sign-ins, devices, sessions and mailbox activity.

Common mistakes

Assuming every click is compromise A click may have been blocked or abandoned. IsClickedThrough helps separate interaction from exposure.
Ignoring ActionType IsClickedThrough should be reviewed together with ActionType to understand what Microsoft Defender recorded.
Not checking what happened next If a user clicked through, defenders should review sign-ins, sessions, mailbox rules and endpoint activity.

What you learned

IsClickedThrough shows exposure It helps defenders determine whether a user continued through protection to the destination.
Click-through users need review Users who continue through warnings may need identity, session and endpoint investigation.
Clicks need context Use IsClickedThrough with UrlChain, ActionType, EmailEvents and identity evidence to understand the real risk.

Related Agent Foskett Academy lessons

Investigating UrlClickEvents Understand the table used to investigate URL click activity.
Advanced UrlClickEvents Investigations Build complete URL click investigation timelines.
Investigating UrlChain Trace redirects from original clicks to final destinations.
Investigating ReportId Correlate Defender XDR records during investigations.
Investigating InternetMessageId Identify email messages across Microsoft 365 investigations.
Investigating RecipientEmailAddress Identify users who received suspicious messages.

Coming next

Lesson 76 — Investigating ActionType in UrlClickEvents Next, Agent Foskett Academy explains how defenders use ActionType to understand whether Safe Links allowed, blocked, warned or otherwise recorded URL click activity.
Why this matters IsClickedThrough explains whether the user continued. ActionType explains what Microsoft Defender recorded during the click.

Final thought

A click is not always the same as compromise. IsClickedThrough helps defenders understand whether the user actually reached the destination.
Agent Foskett mindset Do not stop at clicked. Ask whether the user continued through protection and what happened next.
Follow the user decision The user's choice to continue or stop can change the priority and direction of the investigation.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD

Investigating IsClickedThrough in Microsoft Defender XDR

Agent Foskett Academy Lesson 75 teaches defenders how to investigate IsClickedThrough during Microsoft Defender XDR URL click investigations.

Learn IsClickedThrough investigation in Defender XDR

This lesson explains how IsClickedThrough, UrlClickEvents, UrlChain, ActionType, AccountUpn, NetworkMessageId and EmailEvents help defenders determine whether users continued through Safe Links protection during phishing investigations.