Agent Foskett Academy • Lesson 74 • URL Click Investigation

Investigating UrlChain in Microsoft Defender XDR.

The user clicked the link.

Safe Links recorded the event.

But the first URL was not where the browser actually ended up.

Agent Foskett needed to follow every redirect from the original click to the final destination.

The answer was hidden inside UrlChain.

In Microsoft Defender XDR, UrlChain helps defenders trace phishing redirects, uncover hidden infrastructure and understand where a user was really sent after clicking a link.

Agent Foskett Academy lesson explaining UrlChain in Microsoft Defender XDR
Lesson overview

Learn how to investigate UrlChain in UrlClickEvents and use it to trace redirects from the original clicked link to the final destination.

Review redirect chains
Identify final destinations
Expose phishing infrastructure
Connect clicks to investigation timelines

Why UrlChain matters

Modern phishing attacks rarely send users straight to the final credential harvesting page. UrlChain helps defenders follow the redirects and expose the real path.
It shows the full pathUrlChain can reveal each redirect from the original clicked link through to the final destination.
It exposes hidden infrastructureAttackers often use URL shorteners, open redirects and compromised websites before reaching the final phishing page.
It improves investigation accuracyThe original URL may look harmless. UrlChain helps defenders understand where the user actually went.

The fields used in this lesson

UrlChainThe redirect chain recorded for a clicked URL, showing the path followed during the click event.
UrlThe URL recorded during the Safe Links click event.
AccountUpnThe user account that interacted with the link.
ActionTypeThe click outcome recorded by Microsoft Defender, such as whether the click was allowed or blocked.
NetworkMessageIdA Microsoft 365 message identifier used to connect URL clicks back to email evidence.
TimestampThe time the user click or Safe Links event occurred.

Step 1 — Review recent UrlChain activity

Start by reviewing recent click events where Microsoft Defender recorded a UrlChain.
review-urlchain-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| project Timestamp,
          AccountUpn,
          Url,
          UrlChain,
          ActionType
| order by Timestamp desc

Step 2 — Investigate a specific user's redirect path

When a user reports clicking a suspicious link, review their UrlChain evidence directly.
user-urlchain-investigation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
UrlClickEvents
| where AccountUpn == "user@contoso.com"
| where Timestamp > ago(7d)
| project Timestamp,
          Url,
          UrlChain,
          ActionType
| order by Timestamp desc

Step 3 — Find common redirect chains

Repeated UrlChain values can help reveal common redirect infrastructure used across a campaign.
common-urlchains.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| summarize Clicks = count(), Users = dcount(AccountUpn)
          by UrlChain
| order by Clicks desc

Step 4 — Search for suspicious redirect wording

Use keyword searches to find redirect chains that contain login, password, verification or document-themed lures.
suspicious-urlchain-terms.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
UrlClickEvents
| where Timestamp > ago(30d)
| where UrlChain has_any ("login", "password", "verify", "invoice", "document")
| project Timestamp,
          AccountUpn,
          Url,
          UrlChain,
          ActionType
| order by Timestamp desc

Step 5 — Correlate redirect chains with email evidence

Join UrlClickEvents to EmailEvents so the redirect path can be reviewed beside the sender, recipient and subject.
email-urlchain-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| join kind=inner (
    UrlClickEvents
    | where isnotempty(UrlChain)
) on NetworkMessageId
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          AccountUpn,
          Url,
          UrlChain

Step 6 — Review blocked and allowed redirect activity

Compare ActionType outcomes to understand whether users were blocked or allowed through the redirect chain.
urlchain-actiontype-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
UrlClickEvents
| where Timestamp > ago(30d)
| where isnotempty(UrlChain)
| summarize Clicks = count(), Users = dcount(AccountUpn)
          by ActionType,
             UrlChain
| order by Clicks desc

How to read the results

UrlChain should be treated as path evidence. It helps explain how a click moved through redirect infrastructure before reaching the final destination.
The first URL may not be the final destinationAttackers often use the first URL as a staging point rather than the actual phishing site.
Redirects can hide intentUrl shorteners, compromised sites and open redirects can make a link appear safer than it really is.
The chain supports scopingIf multiple users followed the same UrlChain, defenders may be looking at a wider phishing campaign.

Common investigation uses

Credential phishingTrace redirects that eventually land on fake Microsoft 365, banking or document-sharing login pages.
Redirect abuseIdentify URL shorteners, open redirects and compromised websites being used to hide the final destination.
User click investigationConfirm whether a user only clicked the original link or continued through to a suspicious destination.
Campaign scopingGroup users and clicks that followed the same redirect path during a phishing campaign.

Common mistakes

Only checking the original URLThe original URL may not show the final destination. Always review UrlChain where it is available.
Ignoring allowed clicksAn allowed click may still deserve review if the redirect path contains suspicious domains or phishing wording.
Not correlating back to emailUrlChain tells the redirect story, but EmailEvents explains the sender, subject, recipient and delivery context.

What you learned

UrlChain reveals redirect pathsIt helps defenders see where a click travelled after the original URL was selected.
Redirects can hide phishing infrastructureAttackers use intermediate hops to hide the final destination and make analysis harder.
Clicks need contextUrlChain should be reviewed with UrlClickEvents, EmailEvents, NetworkMessageId, ActionType and user evidence.

Related Agent Foskett Academy lessons

Investigating UrlClickEventsUnderstand the core table used to investigate Safe Links clicks and user interaction.
Advanced UrlClickEvents InvestigationsLearn how defenders move from click evidence into full phishing investigation timelines.
Investigating NetworkMessageIdConnect the same message across Defender email, click and attachment evidence.
Investigating ReportIdCorrelate related Defender XDR records during email and click investigations.
Investigating SubjectReview subject lines used in phishing campaigns and malicious lures.
Investigating RecipientEmailAddressIdentify the users who received suspicious messages before investigating clicks.

Coming next

Lesson 75 — Investigating IsClickedThrough in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use IsClickedThrough to understand whether users continued through Microsoft Defender Safe Links protection to reach the destination.
Why this mattersUrlChain shows where the click travelled. IsClickedThrough helps explain whether the user actually proceeded through protection to reach the destination.

Final thought

The original link is only the start of the story. UrlChain helps defenders follow the path all the way to the final destination.
Agent Foskett mindsetDo not stop at the first URL. Follow the chain until the destination makes sense.
Follow every redirectRedirect chains can expose the infrastructure attackers tried to hide.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating UrlChain in Microsoft Defender XDR

Agent Foskett Academy Lesson 74 teaches defenders how to investigate UrlChain during Microsoft Defender XDR UrlClickEvents investigations.

Learn UrlChain investigation in Defender XDR

This lesson explains how UrlChain, UrlClickEvents, Url, AccountUpn, ActionType, NetworkMessageId and EmailEvents help defenders trace phishing redirects, uncover hidden infrastructure and investigate Safe Links click activity.