Query Details

Account Takeover - Email Forwarding Rule Created After Silent Auth

11 Account Takeover Email Forwarding

Query

let SilentAuthUsers =
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(3h)
    | where ResultType == 0
    | summarize LastNI = max(TimeGenerated), NI_IPs = make_set(IPAddress)
      by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(3h)
| where Operation in (
    "New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox"
  )
| where Parameters has_any (
    "ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
    "DeleteMessage", "MarkAsRead"
  )
| extend UPN = tolower(UserId)
| join kind=inner SilentAuthUsers on $left.UPN == $right.UserPrincipalName
| where TimeGenerated > LastNI
   and  (TimeGenerated - LastNI) < 2h
| project
    RuleCreationTime  = TimeGenerated,
    UserPrincipalName = UPN,
    Operation,
    Parameters,
    NI_IPs,
    LastNISignIn      = LastNI,
    TimeSinceNISignIn = (TimeGenerated - LastNI),
    ClientIP
| order by RuleCreationTime desc

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying when a user's email forwarding or redirect rule is created or modified shortly after a non-interactive, or "silent," sign-in. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activity where an attacker might have gained access to a user's email account and set up forwarding rules to monitor and exfiltrate emails.

  2. Data Sources: It uses data from Azure Active Directory (AAD) logs for non-interactive sign-ins and Office 365 activity logs for email rule changes.

  3. Detection Logic:

    • It first identifies users who have had a non-interactive sign-in within the last 3 hours.
    • It then looks for any email rule changes (like setting up forwarding or redirect rules) in the same time frame.
    • The query checks if these rule changes occurred within 2 hours after the silent sign-in.
  4. Severity: The alert generated by this query is considered high severity due to the potential for email exfiltration.

  5. Output: If such activity is detected, it provides details like the time the rule was created, the user's email, the operation performed, and the IP addresses involved.

  6. Alerting: An alert is generated with a specific format, and incidents are created for further investigation. The incidents can be grouped by user account to manage related alerts efficiently.

Overall, this query helps security teams quickly identify and respond to potential email account takeovers, which are a common tactic in cyber attacks.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsOfficeActivity

Keywords

AccountEmailRuleUserSignInIPAddressTimeGeneratedOperationParametersClientIPUserPrincipalName

Operators

letwhereagosummarizemaxmake_setbyinhas_anyextendtolowerjoinonandprojectorder bydesc

Severity

High

Tactics

CollectionExfiltrationPersistence

MITRE Techniques

Frequency: 1h

Period: 3h

Actions

GitHub