Query Details

ADFS Auth Followed by Email Forwarding Rule - BEC Indicator

17 ADFS Auth Email Forwarding BEC

Query

let ADFSAuthUsers =
    ADFSSignInLogs
    | where TimeGenerated > ago(3h)
    | where ResultType == 0
    | summarize
        LastADFS = max(TimeGenerated),
        ADFS_IPs = make_set(IPAddress)
      by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(3h)
| where Operation in (
    "New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox"
  )
| where Parameters has_any (
    "ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
    "DeleteMessage", "MarkAsRead"
  )
| extend UPN = tolower(UserId)
| join kind=inner ADFSAuthUsers on $left.UPN == $right.UserPrincipalName
| where TimeGenerated > LastADFS
   and  (TimeGenerated - LastADFS) < 2h
| project
    RuleCreationTime  = TimeGenerated,
    UserPrincipalName = UPN,
    Operation,
    Parameters,
    ADFS_IPs,
    LastADFSSignIn    = LastADFS,
    TimeSinceADFS     = (TimeGenerated - LastADFS),
    ClientIP
| order by RuleCreationTime desc

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying a specific sequence of activities. Here's a simplified explanation:

  1. Objective: The query aims to find instances where a user logs in through Active Directory Federation Services (ADFS) and then creates or modifies an email forwarding rule in Exchange Online within a 2-hour window. This pattern is suspicious because it can indicate that an attacker has gained access to a user's account and is setting up forwarding rules to exfiltrate emails or maintain access.

  2. Data Sources:

    • It uses logs from Azure Active Directory (specifically ADFS sign-in logs) and Office 365 (focusing on email activity).
  3. Detection Logic:

    • The query first identifies users who have successfully logged in via ADFS in the past 3 hours.
    • It then checks for any email rule operations (like creating or modifying forwarding rules) performed by these users within 2 hours after their ADFS login.
    • The operations of interest include actions like forwarding emails to another address, redirecting emails, or marking emails as read.
  4. Alerting:

    • If such a sequence is detected, an alert is generated with high severity, indicating a strong possibility of a BEC incident.
    • The alert includes details like the time the rule was created, the user's email address, the operation performed, and the IP addresses used during the ADFS login.
  5. Incident Management:

    • The system is configured to create an incident for each alert and group related alerts by user account to help with investigation and response.

Overall, this query helps security teams quickly identify and respond to potential email account compromises by monitoring for suspicious activity patterns.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsOfficeActivity

Keywords

ADFSADFSSignInLogsAzureActiveDirectoryOffice365OfficeActivityUserPrincipalNameUserIdIPAddressOperationParametersClientIPAccountIP

Operators

letwhereagosummarizemaxmake_setbyinhas_anyextendtolowerjoinonprojectorder bydesc

Severity

High

Tactics

CollectionExfiltrationPersistence

MITRE Techniques

Frequency: 1h

Period: 3h

Actions

GitHub