Query Details
HUNT 14 M365 Exchange BEC Multi Mailbox Forward Map 30d
Query
// Hunt : M365 - Multiple Mailboxes Forwarding to Same External Address (BEC Campaign Map) (30d)
// Purpose : Identify all external forwarding destinations that appear in more than one
// mailbox's forwarding rules over 30 days. Maps the full BEC campaign
// infrastructure — reveals how many accounts have been compromised and
// which external collection addresses the attacker controls.
// Tables : OfficeActivity
// Period : P30D
//==========================================================================================
let LookbackDays = 30d;
OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"New-InboxRule", "Set-InboxRule",
"New-TransportRule", "Set-TransportRule",
"Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
| extend Params = tostring(Parameters)
| extend ForwardingDest = coalesce(
extract(@"(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeliverToMailboxAndForward|ForwardingAddress|ForwardingSmtpAddress).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params),
extract(@"(ForwardTo|ForwardAsAttachmentTo|RedirectTo).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params)
)
| where isnotempty(ForwardingDest)
| extend
ForwardDomain = tostring(split(ForwardingDest, "@")[1]),
IsExternal = not(ForwardingDest has "onmicrosoft.com")
| where IsExternal
| summarize
SourceMailboxCount = dcount(UserId),
SourceMailboxes = make_set(UserId, 30),
Operations = make_set(Operation, 5),
SettingActors = make_set(UserId, 10),
ClientIPs = make_set(ClientIP, 10),
FirstRuleSeen = min(TimeGenerated),
LastRuleSeen = max(TimeGenerated)
by ForwardingDest, ForwardDomain
| sort by SourceMailboxCount desc
| extend CampaignIndicator = case(
SourceMailboxCount >= 5, "Likely BEC Campaign",
SourceMailboxCount >= 2, "Suspicious - Review",
"Single Occurrence")
| project
ForwardingDest,
ForwardDomain,
SourceMailboxCount,
SourceMailboxes,
Operations,
ClientIPs,
CampaignIndicator,
FirstRuleSeen,
LastRuleSeen
Explanation
This query is designed to detect potential Business Email Compromise (BEC) campaigns by identifying external email addresses that are set as forwarding destinations in multiple mailboxes within a 30-day period. Here's a simplified breakdown of what the query does:
-
Data Source: It examines the
OfficeActivitytable, focusing on activities related to email forwarding rules. -
Time Frame: The query looks at activities from the last 30 days.
-
Activity Filtering: It filters for specific operations related to email forwarding and mailbox settings, such as creating or modifying inbox rules and transport rules.
-
Extracting Forwarding Addresses: It extracts forwarding email addresses from the parameters of these operations.
-
External Address Check: It identifies forwarding addresses that are external (i.e., not part of the organization's domain).
-
Summarization: For each external forwarding address, it counts how many different mailboxes are forwarding to it, lists the mailboxes, operations performed, users who set the rules, and client IPs involved. It also notes the first and last time the forwarding rule was seen.
-
Campaign Indicator: It categorizes the findings based on the number of mailboxes forwarding to the same address:
- "Likely BEC Campaign" if 5 or more mailboxes are involved.
- "Suspicious - Review" if 2 to 4 mailboxes are involved.
- "Single Occurrence" if only one mailbox is involved.
-
Output: The query outputs details such as the forwarding destination, domain, number of source mailboxes, involved operations, client IPs, campaign indicator, and the time range of the rules.
This helps in identifying and assessing potential security threats related to email forwarding, which could indicate compromised accounts or malicious activities.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators