KQL Search

Query Details

11 Account Takeover Email Forwarding

Query

id: e6f2a4b5-c0d1-3e7f-8a9b-0c1d2e3f4a5b
name: Account Takeover - Email Forwarding Rule Created After Silent Auth
version: 1.0.0
kind: Scheduled
description: |
  Detects a key Business Email Compromise (BEC) indicator: a user's inbox forwarding
  or redirect rule is created/modified within 2 hours of a non-interactive (silent)
  sign-in. Attackers who obtain access via token theft immediately set up email
  forwarding rules to monitor communications and exfiltrate sensitive emails.
  MITRE ATT&CK: T1114 (Email Collection), T1114.003 (Email Forwarding Rule)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
  - connectorId: Office365
    dataTypes:
      - OfficeActivity
queryFrequency: 1h
queryPeriod: 3h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Collection
  - Exfiltration
  - Persistence
relevantTechniques:
  - T1114
  - T1078
query: |
  let SilentAuthUsers =
      AADNonInteractiveUserSignInLogs
      | where TimeGenerated > ago(3h)
      | where ResultType == 0
      | summarize LastNI = max(TimeGenerated), NI_IPs = make_set(IPAddress)
        by UserPrincipalName;
  OfficeActivity
  | where TimeGenerated > ago(3h)
  | where Operation in (
      "New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox"
    )
  | where Parameters has_any (
      "ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
      "DeleteMessage", "MarkAsRead"
    )
  | extend UPN = tolower(UserId)
  | join kind=inner SilentAuthUsers on $left.UPN == $right.UserPrincipalName
  | where TimeGenerated > LastNI
     and  (TimeGenerated - LastNI) < 2h
  | project
      RuleCreationTime  = TimeGenerated,
      UserPrincipalName = UPN,
      Operation,
      Parameters,
      NI_IPs,
      LastNISignIn      = LastNI,
      TimeSinceNISignIn = (TimeGenerated - LastNI),
      ClientIP
  | order by RuleCreationTime desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ClientIP
customDetails:
  InboxRuleOperation: Operation
  TimeSinceNISignIn: TimeSinceNISignIn
  NISignInIPs: NI_IPs
alertDetailsOverride:
  alertDisplayNameFormat: "BEC Indicator - {{UserPrincipalName}} created inbox forwarding rule after silent sign-in"
  alertDescriptionFormat: "User {{UserPrincipalName}} created inbox rule '{{Operation}}' within 2 hours of a silent non-interactive sign-in. Strong Business Email Compromise indicator."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying when a user's email forwarding or redirect rule is created or modified shortly after a non-interactive, or "silent," sign-in. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activity where an attacker might have gained access to a user's email account and set up forwarding rules to monitor and exfiltrate emails.

  2. Data Sources: It uses data from Azure Active Directory (AAD) logs for non-interactive sign-ins and Office 365 activity logs for email rule changes.

  3. Detection Logic:

    • It first identifies users who have had a non-interactive sign-in within the last 3 hours.
    • It then looks for any email rule changes (like setting up forwarding or redirect rules) in the same time frame.
    • The query checks if these rule changes occurred within 2 hours after the silent sign-in.

  4. Severity: The alert generated by this query is considered high severity due to the potential for email exfiltration.

  5. Output: If such activity is detected, it provides details like the time the rule was created, the user's email, the operation performed, and the IP addresses involved.

  6. Alerting: An alert is generated with a specific format, and incidents are created for further investigation. The incidents can be grouped by user account to manage related alerts efficiently.

Overall, this query helps security teams quickly identify and respond to potential email account takeovers, which are a common tactic in cyber attacks.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsOfficeActivity

Keywords

AccountEmailRuleUserSignInIPAddressTimeGeneratedOperationParametersClientIPUserPrincipalName

Operators

letwhereagosummarizemaxmake_setbyinhas_anyextendtolowerjoinonandprojectorder bydesc

Actions