A potentially malicious URL click was detected - but I didn't

Question

I got an Office365alert "High-severity alert: A potentially malicious URL click was detected." indicating that one of my users clicked a link in an email that was later determined to be malicious. After interviewing the user, they claimed to not have clicked the link, but instead realized the email was a phish right away.

I know, I know, rule #1 is to not trust user claims when they might get in trouble. However, giving the user the benefit of the doubt for the moment, under what conditions could a safe-linked URL get "clicked" without the user actually clicking it? Do some email clients pre-fetch URLs? What if they opened their email using Outlook Online, would their browser have prefetched it?

I want to trust the Office365 Alert, but I've had users claim innocence so often that I'm starting to question it.

Q. Can malicious clicks get triggered without a user actually clicking on the link?

Answer 1

Dear Mike from canmore ,

Good day ,

Thanks for posting in Microsoft Community.

I understand that you have an concern on A potentially malicious URL click was detected. Before moving forward, thank you for your efforts on explain your issue.

Yes , I have gone through all the mentioned information , You are using O365 business subscription include ( Built-in ) EOP and based on this I believe we need to investigate your concern with advance logs.

I would like to draw your attention here, In order to provided best support MS has a dedicated support. Moreover based on the current situations we need to involve our exchange online support team for advance troubleshooting therefore I would suggest you to contact our dedicated team for outlook and exchange to further troubleshoot. Please refer below:

Sign in to Microsoft 365 with your Microsoft 365 admin account, and select Support > New service request. If you're in the admin center, select Support > New service request.

NOTE : For your security and privacy , kindly don't mention any email address / password or other confidential information.

We look forward to your response. Thanks for your cooperation.

Sincerely,

Amul | Microsoft Community Moderator

***Note: In the event that you're unable to reply to this thread, please ensure that your Email address is verified in the Community Website by clicking on Your Account Name > "My Profile" > "Edit Profile" > Add your Email Address > tick "Receive email notifications" checkbox > click on "Save".***

Answer 2

A url "Click" is another way of saying a hyperlink was detected.

"A potentially malicious URL click was detected"

There is another alert similar that indicates that the user actually clicked the link.

"A user clicked through to a potentially malicious URL"

Here is the reference for these alerts: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

Answer 3

The above isn't quite true apparently.

A click really is a click.

A click through is triggered after the user goes past the "known" malicious link warning (i.e. clicks through the warning accepting risks)

But I don't know how true it is as I still get users claiming they did not click it!

https://m365admin.handsontek.net/microsoft-defender-for-office-365-new-default-url-click-alert-policy/

Answer 4

Any other answers provided other than 'put in a ticket'?

Answer 5

Any other answers provided other than 'put in a ticket'?

If you are a business customer, you should definitely make use of the support options you are paying for. Support phone numbers are listed in the article at https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2.