KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 21 M365 Exchange BEC Multi Mailbox Same Dest

Query

// Rule    : M365 - Exchange BEC Campaign: Multiple Mailboxes Forwarding to Same External Address
// Severity: Critical
// Tactics : Collection, Exfiltration
// MITRE   : T1114.003 (Email Forwarding Rule), T1078.004
// Freq    : PT1H   Period: P1D
// Description: Detects when 3 or more distinct mailboxes have forwarding rules
//              pointing to the same external email address or domain within the past
//              24 hours — a strong indicator of a coordinated BEC campaign where an
//              attacker progressively compromises accounts and adds forwarding rules
//              to a single collection address.
//==========================================================================================

let LookbackPeriod      = 1d;
let MailboxThreshold    = 3;     // minimum distinct source mailboxes sharing same destination

// Collect all new/modified forwarding rules
let ForwardingRules = OfficeActivity
    | where TimeGenerated > ago(LookbackPeriod)
    | where RecordType == "ExchangeAdmin"
    | where Operation in (
        "New-InboxRule", "Set-InboxRule",
        "New-TransportRule", "Set-TransportRule",
        "Set-Mailbox", "Set-MailboxAutoReplyConfiguration")
    | extend Params = tostring(Parameters)
    | extend
        ForwardingDest = coalesce(
            extract(@"(ForwardTo|ForwardAsAttachmentTo|RedirectTo|DeliverToMailboxAndForward|ForwardingAddress|ForwardingSmtpAddress).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params),
            extract(@"(ForwardTo|ForwardAsAttachmentTo|RedirectTo).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params)
        )
    | where isnotempty(ForwardingDest)
    | extend
        ForwardDomain   = tostring(split(ForwardingDest, "@")[1]),
        IsExternal      = not(ForwardingDest has "onmicrosoft.com")
    | where IsExternal;

// Group by destination — look for same dest receiving from multiple source accounts
ForwardingRules
| summarize
    SourceMailboxCount  = dcount(UserId),
    SourceMailboxes     = make_set(UserId, 20),
    Operations          = make_set(Operation, 10),
    ForwardDomain       = any(ForwardDomain),
    ClientIPs           = make_set(ClientIP, 10),
    FirstSeen           = min(TimeGenerated),
    LastSeen            = max(TimeGenerated)
    by ForwardingDest
| where SourceMailboxCount >= MailboxThreshold
| extend AlertSeverity = case(
    SourceMailboxCount >= 10, "Critical",
    SourceMailboxCount >= 5,  "High",
    "Medium")
| project
    TimeGenerated      = LastSeen,
    ForwardingDest,
    ForwardDomain,
    SourceMailboxCount,
    SourceMailboxes,
    Operations,
    ClientIPs,
    FirstSeen,
    AlertSeverity

Explanation

This query is designed to detect potential Business Email Compromise (BEC) campaigns in Microsoft 365 Exchange by identifying suspicious email forwarding activities. Here's a simplified explanation:

  1. Purpose: The query aims to find instances where three or more different mailboxes have been set up to forward emails to the same external email address or domain within the last 24 hours. This pattern suggests a coordinated attack where an attacker might have compromised multiple accounts and set up forwarding rules to collect emails at a single external address.

  2. Data Collection:

    • It looks at activities related to email forwarding rules within the past day.
    • It filters for operations that create or modify forwarding rules in Exchange, such as "New-InboxRule" or "Set-Mailbox".

  3. Processing:

    • It extracts the forwarding destination email addresses from the rule parameters.
    • It checks if the forwarding destination is external (not part of the organization's domain).

  4. Analysis:

    • It groups the data by the forwarding destination to see how many distinct mailboxes are forwarding to the same address.
    • It counts the number of unique source mailboxes and collects additional information like operations performed, client IPs, and the time range of these activities.

  5. Alerting:

    • If three or more mailboxes are forwarding to the same external address, it flags this as suspicious.
    • The severity of the alert is determined by the number of mailboxes involved:
      • "Critical" for 10 or more mailboxes,
      • "High" for 5 to 9 mailboxes,
      • "Medium" for 3 to 4 mailboxes.

  6. Output:

    • The query outputs details such as the forwarding destination, the number of source mailboxes, the operations involved, client IPs, the time range of the activity, and the alert severity.

This query helps security teams quickly identify and respond to potential email compromise incidents by highlighting unusual forwarding patterns that could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivity

Operators

letagoincoalesceextracttostringisnotemptysplitnothassummarizedcountmake_setanyminmaxbycaseproject

Actions