Query Details

MDO — BEC Display-Name Impersonation of Executive

MDO AR 02 BEC Display Name Impersonation

Query

let Execs = dynamic(["CEO Name","CFO Name","Managing Director"]);
let CorpDomains = dynamic(["contoso.com","contoso.es"]);
EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection == "Inbound"
| where SenderDisplayName has_any (Execs)
| where not(SenderFromDomain in~ (CorpDomains))
| project Timestamp, ReportId, SenderDisplayName, SenderFromAddress, SenderFromDomain,
          RecipientEmailAddress, Subject, DeliveryAction, NetworkMessageId

Explanation

This query is designed to detect potential Business Email Compromise (BEC) attacks, specifically those that involve impersonating an executive's display name in emails. Here's a simplified breakdown:

  1. Purpose: The query identifies inbound emails that appear to come from an executive (like a CEO or CFO) but are actually sent from a non-corporate domain. This is a common tactic in CEO fraud or BEC scams.

  2. Customization: Before using the query, you need to customize two lists:

    • Execs: A list of executive names that might be impersonated.
    • CorpDomains: A list of legitimate corporate domains.
  3. Data Source: The query uses data from EmailEvents provided by Microsoft Threat Protection.

  4. Query Logic:

    • It checks emails received in the last hour.
    • It filters for inbound emails where the sender's display name matches any name in the Execs list.
    • It ensures the sender's domain is not in the CorpDomains list, indicating the email is from an external, potentially malicious source.
  5. Output: The query projects relevant details like the timestamp, sender's display name and domain, recipient's email, and the email's subject.

  6. Alerting:

    • If the query finds any matches, it triggers an alert with a medium severity level.
    • The alert includes details such as the spoofed executive's name and the sender's domain.
    • The alert advises verifying the email through other means before taking any financial actions.
  7. Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents can be grouped based on the recipient's email address to manage related alerts together.

This query helps organizations detect and respond to phishing attempts that impersonate executives, potentially preventing financial fraud or data breaches.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEventsAccountMailMessageNetworkIdSenderDisplayNameFromAddressDomainRecipientSubjectDeliveryActionTimestampReport

Operators

letdynamicagohas_anyin~project

Severity

Medium

Tactics

InitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub