EmailUrlInfo

Applies to:

  • Microsoft Defender XDR

The EmailUrlInfo table in the advanced hunting schema contains information about URLs on emails and attachments processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
NetworkMessageId string Unique identifier for the email, generated by Microsoft 365
Url string Full URL in the email subject, body, or attachment
UrlDomain string Domain name or host name of the URL
UrlLocation string Indicates which part of the email the URL is located
ReportId string Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns

Tip

To hunt for attacks based on URLs embedded within QR codes, users can leverage the UrlLocation column having "QRCode" as an identifier for URLs extracted from QR codes.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.