Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
- Hunt for potential phishing emails that link to a Microsoft OAuth login
- OAuth tokens can grant the 3rd party permissions without stealing credentials (also bypasses MFA)
- Logins take place on login.windows.net or login.microsoftonline.com which is less suspicious
- Looks for inbound emails with >50 recipients, which may indicate a mass phishing attack
- Exclude your domain from sender address for less false positives
- Detects high-confidence phishing or malware emails that were delivered to one or more mailboxes
- Input FQDN of phishing website to find who clicked on the link
- Determines email address and device name of clicker
- Determines how many times the link was clicked by each person
- Determines whether the URL was blocked when the link was clicked