HUNT-09 ADFS Auth to Mailbox Rule Correlation - BEC (14d)
HUNT 09 ADFS Auth To Mailbox Rule BEC 14d
Query
let RuleOps = dynamic([
"New-InboxRule", "Set-InboxRule", "New-TransportRule",
"Set-TransportRule", "Set-Mailbox"
]);
let Auths = ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(14d)
| where ResultType == 0
| project AuthTime = TimeGenerated, UserPrincipalName, AuthIP = IPAddress, AuthCountry = Location;
OfficeActivity
| where TimeGenerated > ago(14d)
| where OfficeWorkload =~ "Exchange"
| where Operation in (RuleOps)
| extend Actor = tolower(coalesce(UserId, Caller))
| join kind=inner (Auths | extend UPN = tolower(UserPrincipalName)) on $left.Actor == $right.UPN
| where TimeGenerated between (AuthTime .. AuthTime + 6h)
| project
TimeGenerated, Actor, Operation, ClientIP, Parameters,
AuthTime, AuthIP, AuthCountry
| order by TimeGenerated descExplanation
This query is designed to detect potential Business Email Compromise (BEC) incidents by correlating authentication events with mailbox rule creation activities. Here's a simplified summary:
-
Purpose: The query identifies cases where a user's federated identity might be compromised. It does this by checking if a user logs in via Active Directory Federation Services (ADFS) and subsequently creates or modifies mailbox rules in Office 365 Exchange within a 6-hour window.
-
Data Sources:
- ADFS Sign-In Logs: To track user authentication events.
- Office 365 Activity Logs: To monitor actions related to mailbox rule operations.
-
Operations Monitored: The query looks for specific operations such as creating or modifying inbox rules and transport rules, which are often used in BEC scenarios to forward emails or set up auto-responders.
-
Process:
- It first filters ADFS sign-in logs to exclude any IPs that are on an allowlist and considers only successful logins from the past 14 days.
- It then checks Office 365 activity logs for any mailbox rule operations within the same 14-day period.
- The query joins these two datasets on the user identity and checks if the mailbox rule operations occurred within 6 hours of the ADFS login.
- Finally, it outputs relevant details such as the time of the operation, user identity, type of operation, and IP information.
-
Outcome: The result is a list of suspicious activities that might indicate a compromised account being used to set up unauthorized email rules, which is a common tactic in BEC attacks. The severity of these findings is considered high due to the potential impact of such compromises.
Details

David Alonso
Released: May 13, 2026
Tables
Keywords
Operators
Severity
HighTactics