KQL Search

Query Details

HUNT 09 ADFS Auth To Mailbox Rule BEC 14d

Query

id: a1f00009-0009-4009-9009-adfs00000009
name: HUNT-09 ADFS Auth to Mailbox Rule Correlation - BEC (14d)
description: |
  Joins ADFS sign-ins with Office 365 Exchange mailbox rule creation events
  (within 6 hours of the same user). Reveals BEC patterns where a federated
  identity is compromised and an inbox forwarding / autoresponder rule is
  created from that session.
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
  - connectorId: Office365
    dataTypes:
      - OfficeActivity
tactics:
  - Collection
  - Exfiltration
relevantTechniques:
  - T1114.003
  - T1098.002
query: |
  let RuleOps = dynamic([
      "New-InboxRule", "Set-InboxRule", "New-TransportRule",
      "Set-TransportRule", "Set-Mailbox"
  ]);
  let Auths = ADFSSignInLogs
    | invoke ExcludeAllowlistedIPs()
    | where TimeGenerated > ago(14d)
    | where ResultType == 0
    | project AuthTime = TimeGenerated, UserPrincipalName, AuthIP = IPAddress, AuthCountry = Location;
  OfficeActivity
  | where TimeGenerated > ago(14d)
  | where OfficeWorkload =~ "Exchange"
  | where Operation in (RuleOps)
  | extend Actor = tolower(coalesce(UserId, Caller))
  | join kind=inner (Auths | extend UPN = tolower(UserPrincipalName)) on $left.Actor == $right.UPN
  | where TimeGenerated between (AuthTime .. AuthTime + 6h)
  | project
      TimeGenerated, Actor, Operation, ClientIP, Parameters,
      AuthTime, AuthIP, AuthCountry
  | order by TimeGenerated desc

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by correlating authentication events with mailbox rule creation activities. Here's a simplified summary:

  1. Purpose: The query identifies cases where a user's federated identity might be compromised. It does this by checking if a user logs in via Active Directory Federation Services (ADFS) and subsequently creates or modifies mailbox rules in Office 365 Exchange within a 6-hour window.

  2. Data Sources:

    • ADFS Sign-In Logs: To track user authentication events.
    • Office 365 Activity Logs: To monitor actions related to mailbox rule operations.

  3. Operations Monitored: The query looks for specific operations such as creating or modifying inbox rules and transport rules, which are often used in BEC scenarios to forward emails or set up auto-responders.

  4. Process:

    • It first filters ADFS sign-in logs to exclude any IPs that are on an allowlist and considers only successful logins from the past 14 days.
    • It then checks Office 365 activity logs for any mailbox rule operations within the same 14-day period.
    • The query joins these two datasets on the user identity and checks if the mailbox rule operations occurred within 6 hours of the ADFS login.
    • Finally, it outputs relevant details such as the time of the operation, user identity, type of operation, and IP information.

  5. Outcome: The result is a list of suspicious activities that might indicate a compromised account being used to set up unauthorized email rules, which is a common tactic in BEC attacks. The severity of these findings is considered high due to the potential impact of such compromises.

Details

David Alonso profile picture

David Alonso

Released: May 13, 2026

Tables

ADFSSignInLogsOfficeActivity

Keywords

ADFSOfficeExchangeMailboxUserIdentitySessionRuleIPAddressLocationActorClientParametersTimeAuthCountry

Operators

letdynamicinvokeExcludeAllowlistedIPsagowhereprojectextendtolowercoalescejoinonbetweenorder by

Actions