![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 1%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows
An integrated threat protection solution designed to detect, investigate, and respond to cyber threats across Microsoft 365 services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 39%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Thanks for posting your question on Microsoft Q&A forum. The allowed clicks from Microsoft IP addresses observed in the UrlClickEvents table in Advanced Hunting, despite the URLs being malicious, are likely triggered by automated Microsoft services rather than user actions.
Here are some explanations for this situation:
Automated Microsoft Services Scanning URLs:
- Microsoft operates various automated systems for security scanning, content processing, or threat intelligence gathering. These systems may automatically click URLs in emails or documents to analyze them for threats, even if no human interaction occurred.
- For example, services like Safe Links (part of Microsoft Defender for Office 365) might scan URLs during mail flow or as part of asynchronous detonation processes, generating click events from Microsoft-owned IP addresses.
Email Client Pre-fetching or Background Processing:
- Some email clients (e.g., Outlook Online) or mobile apps may pre-fetch URLs for rendering previews, link validation, or anti-phishing checks. This automated prefetching could register as a "click" in the UrlClickEvents table, even if the user never actively clicked the link.
- Additionally, internal Microsoft processes (e.g., scanning for broken links or content indexing) might trigger these events.
Safe Links Policy Configuration:
- Your custom Safe Links policy is enabled, but certain settings (e.g., "Apply real-time URL scanning" or "Wait for URL scanning to complete before delivering the message") may cause Microsoft systems to proactively scan URLs in emails or documents, generating click events from Microsoft IPs.
- The ActionType field showing "ClickAllowed" could indicate that Safe Links determined the URL was safe at the time of scanning (even if later classified as malicious) or that the automated scan bypassed user-facing block pages.
Internal Microsoft Testing or Background Tasks:
Microsoft might conduct internal tests or background tasks (e.g., telemetry collection, compliance checks) that simulate clicks on URLs across tenant environments. These activities could originate from Microsoft IPs and appear in your logs.
Hope this clarifies your concern. Feel free to get back if you have other questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment."
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.