Query Details

HUNT-09 ADFS Auth to Mailbox Rule Correlation - BEC (14d)

HUNT 09 ADFS Auth To Mailbox Rule BEC 14d

Query

let RuleOps = dynamic([
    "New-InboxRule", "Set-InboxRule", "New-TransportRule",
    "Set-TransportRule", "Set-Mailbox"
]);
let Auths = ADFSSignInLogs
  | invoke ExcludeAllowlistedIPs()
  | where TimeGenerated > ago(14d)
  | where ResultType == 0
  | project AuthTime = TimeGenerated, UserPrincipalName, AuthIP = IPAddress, AuthCountry = Location;
OfficeActivity
| where TimeGenerated > ago(14d)
| where OfficeWorkload =~ "Exchange"
| where Operation in (RuleOps)
| extend Actor = tolower(coalesce(UserId, Caller))
| join kind=inner (Auths | extend UPN = tolower(UserPrincipalName)) on $left.Actor == $right.UPN
| where TimeGenerated between (AuthTime .. AuthTime + 6h)
| project
    TimeGenerated, Actor, Operation, ClientIP, Parameters,
    AuthTime, AuthIP, AuthCountry
| order by TimeGenerated desc

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by correlating authentication events with mailbox rule creation activities. Here's a simplified summary:

  1. Purpose: The query identifies cases where a user's federated identity might be compromised. It does this by checking if a user logs in via Active Directory Federation Services (ADFS) and subsequently creates or modifies mailbox rules in Office 365 Exchange within a 6-hour window.

  2. Data Sources:

    • ADFS Sign-In Logs: To track user authentication events.
    • Office 365 Activity Logs: To monitor actions related to mailbox rule operations.
  3. Operations Monitored: The query looks for specific operations such as creating or modifying inbox rules and transport rules, which are often used in BEC scenarios to forward emails or set up auto-responders.

  4. Process:

    • It first filters ADFS sign-in logs to exclude any IPs that are on an allowlist and considers only successful logins from the past 14 days.
    • It then checks Office 365 activity logs for any mailbox rule operations within the same 14-day period.
    • The query joins these two datasets on the user identity and checks if the mailbox rule operations occurred within 6 hours of the ADFS login.
    • Finally, it outputs relevant details such as the time of the operation, user identity, type of operation, and IP information.
  5. Outcome: The result is a list of suspicious activities that might indicate a compromised account being used to set up unauthorized email rules, which is a common tactic in BEC attacks. The severity of these findings is considered high due to the potential impact of such compromises.

Details

David Alonso profile picture

David Alonso

Released: May 13, 2026

Tables

ADFSSignInLogsOfficeActivity

Keywords

ADFSOfficeExchangeMailboxUserIdentitySessionRuleIPAddressLocationActorClientParametersTimeAuthCountry

Operators

letdynamicinvokeExcludeAllowlistedIPsagowhereprojectextendtolowercoalescejoinonbetweenorder by

Severity

High

Tactics

CollectionExfiltration

MITRE Techniques

Actions

GitHub