MDO — Suspicious Inbox Rule After Phishing Click
MDO AR 04 Inbox Rule After Click
Query
let Clickers =
UrlClickEvents
| where Timestamp > ago(3h)
| where ThreatTypes has_any ("Phish", "Malware") or (isnotempty(IsClickedThrough) and IsClickedThrough != "0")
| summarize ClickTime = min(Timestamp) by AccountUpn
| where isnotempty(AccountUpn);
CloudAppEvents
| where Timestamp > ago(3h)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend Rule = tostring(RawEventData.Parameters)
| where Rule has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo", "DeleteMessage", "MarkAsRead", "MoveToFolder")
| extend Upn = tolower(AccountDisplayName)
| join kind=inner (Clickers | extend Upn = tolower(AccountUpn)) on Upn
| where Timestamp between (ClickTime .. ClickTime + 6h)
| project Timestamp, ReportId, AccountUpn, ClickTime, ActionType, Rule, IPAddressExplanation
This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying suspicious behavior following a phishing attack. Here's a simple breakdown:
-
Purpose: The query looks for users who have clicked on a malicious link and then created or modified an email inbox rule that could indicate malicious intent, such as forwarding or deleting emails.
-
Data Sources: It uses data from two sources:
- UrlClickEvents: Tracks when users click on links, specifically looking for clicks on links identified as phishing or malware.
- CloudAppEvents: Monitors actions related to email inbox rules, such as creating or updating rules.
-
Time Frame: The query examines events within the last 3 hours and correlates them with inbox rule changes within 6 hours after the click.
-
Detection Logic:
- It first identifies users who clicked on a malicious link.
- Then, it checks if these users created or modified inbox rules that could hide or redirect emails.
- The query matches these two sets of data to find users who performed both actions within a short time frame.
-
Severity and Response: The severity of this alert is high, indicating a strong signal of potential account takeover. If such behavior is detected, an incident is created, and the alert suggests removing the rule and securing the account.
-
Alert Details: The alert provides details such as the type of inbox rule created, the user's account information, and the IP address from which the action was performed.
-
Incident Management: The query is configured to create incidents for detected cases, with options to group related alerts by account for easier management.
Overall, this query helps security teams quickly identify and respond to potential email account compromises following phishing attacks.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT3H