Account Takeover - Email Forwarding Rule Created After Silent Auth
11 Account Takeover Email Forwarding
Query
let SilentAuthUsers =
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(3h)
| where ResultType == 0
| summarize LastNI = max(TimeGenerated), NI_IPs = make_set(IPAddress)
by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(3h)
| where Operation in (
"New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox"
)
| where Parameters has_any (
"ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
"DeleteMessage", "MarkAsRead"
)
| extend UPN = tolower(UserId)
| join kind=inner SilentAuthUsers on $left.UPN == $right.UserPrincipalName
| where TimeGenerated > LastNI
and (TimeGenerated - LastNI) < 2h
| project
RuleCreationTime = TimeGenerated,
UserPrincipalName = UPN,
Operation,
Parameters,
NI_IPs,
LastNISignIn = LastNI,
TimeSinceNISignIn = (TimeGenerated - LastNI),
ClientIP
| order by RuleCreationTime descExplanation
This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying when a user's email forwarding or redirect rule is created or modified shortly after a non-interactive, or "silent," sign-in. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify suspicious activity where an attacker might have gained access to a user's email account and set up forwarding rules to monitor and exfiltrate emails.
-
Data Sources: It uses data from Azure Active Directory (AAD) logs for non-interactive sign-ins and Office 365 activity logs for email rule changes.
-
Detection Logic:
- It first identifies users who have had a non-interactive sign-in within the last 3 hours.
- It then looks for any email rule changes (like setting up forwarding or redirect rules) in the same time frame.
- The query checks if these rule changes occurred within 2 hours after the silent sign-in.
-
Severity: The alert generated by this query is considered high severity due to the potential for email exfiltration.
-
Output: If such activity is detected, it provides details like the time the rule was created, the user's email, the operation performed, and the IP addresses involved.
-
Alerting: An alert is generated with a specific format, and incidents are created for further investigation. The incidents can be grouped by user account to manage related alerts efficiently.
Overall, this query helps security teams quickly identify and respond to potential email account takeovers, which are a common tactic in cyber attacks.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 3h