Hi Keith,
To be honest I disregard the fact that the status is "prevented".
I find it a very "vague" explanation
"Prevented means that there was no malicious emails in the mailbox for this item (mail or cluster)."
Because it is very obvious that there is a malicious URL in the email and see the click event in the logs.
(at least in my case, don't know if the URL in the screenshot was indeed malicious or not)
I always validate and double-check outside of the automated investigation that is performed by MDO.
I sandbox the url and validate the intention of the attack (payload delivery, phishing, redirections, info gathering,...)
Then I often find myself using these tables to verify if anything landed:
UrlClickEvents - check how many users clicked on the domain
DeviceNetworkEvents - validate network requests based on the domain
DeviceFileEvents - if the malicious website drops a payload, hunt for it
EmailPostDeliveryEvents - see if the email has been removed/quarantined already
EmailEvents - hun for simular emails that might not have been discovered.
I have a saying: "if the user clicks, then the user changes his password".
I don't take any risk and don't trust if SmartScreen/safelinks was already aware of the reputation of the malicious domain. Or that they did the click from an onboarded device.
End-users can also be very vague when asked if they entered any credentials or not, hence why I say "clicking = changing".
Greets
Louis
