ADFS Auth Followed by Email Forwarding Rule - BEC Indicator
17 ADFS Auth Email Forwarding BEC
Query
let ADFSAuthUsers =
ADFSSignInLogs
| where TimeGenerated > ago(3h)
| where ResultType == 0
| summarize
LastADFS = max(TimeGenerated),
ADFS_IPs = make_set(IPAddress)
by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(3h)
| where Operation in (
"New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "Set-Mailbox"
)
| where Parameters has_any (
"ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
"DeleteMessage", "MarkAsRead"
)
| extend UPN = tolower(UserId)
| join kind=inner ADFSAuthUsers on $left.UPN == $right.UserPrincipalName
| where TimeGenerated > LastADFS
and (TimeGenerated - LastADFS) < 2h
| project
RuleCreationTime = TimeGenerated,
UserPrincipalName = UPN,
Operation,
Parameters,
ADFS_IPs,
LastADFSSignIn = LastADFS,
TimeSinceADFS = (TimeGenerated - LastADFS),
ClientIP
| order by RuleCreationTime descExplanation
This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying a specific sequence of activities. Here's a simplified explanation:
-
Objective: The query aims to find instances where a user logs in through Active Directory Federation Services (ADFS) and then creates or modifies an email forwarding rule in Exchange Online within a 2-hour window. This pattern is suspicious because it can indicate that an attacker has gained access to a user's account and is setting up forwarding rules to exfiltrate emails or maintain access.
-
Data Sources:
- It uses logs from Azure Active Directory (specifically ADFS sign-in logs) and Office 365 (focusing on email activity).
-
Detection Logic:
- The query first identifies users who have successfully logged in via ADFS in the past 3 hours.
- It then checks for any email rule operations (like creating or modifying forwarding rules) performed by these users within 2 hours after their ADFS login.
- The operations of interest include actions like forwarding emails to another address, redirecting emails, or marking emails as read.
-
Alerting:
- If such a sequence is detected, an alert is generated with high severity, indicating a strong possibility of a BEC incident.
- The alert includes details like the time the rule was created, the user's email address, the operation performed, and the IP addresses used during the ADFS login.
-
Incident Management:
- The system is configured to create an incident for each alert and group related alerts by user account to help with investigation and response.
Overall, this query helps security teams quickly identify and respond to potential email account compromises by monitoring for suspicious activity patterns.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 3h