Applied KQL

Helping others get things done using Kusto Query Language (KQL).

KQL query: BEC-related inbox rule creation

by

Information security professional identifying business email compromise (BEC) inbox rule creation events.
Information security professional identifying business email compromise (BEC) inbox rule creation events. – Copilot Designer

Identify inbox rule creation that is consistent with business email compromise (BEC).

BEC-related inbox rules can be used to conceal or entirely delete bounced emails, including non-delivery reports or out-of-office messages. These emails might be received by the target after a threat actor initiates an email campaign. The concern is that such bounce notifications could raise suspicion that the user account is compromised. Inbox rules typically include specific keywords found in the subject of the email the threat actor intends to send. Additionally, these rules may incorporate terms like ‘hacked’ or ‘phishing.’ The latter serves to hide emails sent by IT department, which might otherwise alert the target to malicious activities.

Prerequisites for this KQL query

The table for this query (CloudAppEvents) are available in Microsoft Defender. Perform query using Microsoft Defender > Hunting > Advanced hunting. Advanced hunting has previous 30 days of logs available.

KQL query to identify potential BEC-related inbox rule creation

The following query identifies inbox rule creation where parameters of the rule are consistent with those seen in business email compromise (BEC) activity.

CloudAppEvents
| where isnotempty(ActionType)
| where isnotempty(RawEventData)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")
| where isnotempty(RawEventData.UserId)
| where isnotempty(RawEventData.ObjectId)
| extend AccountUpn=tostring(RawEventData.UserId)
| extend Parameters = parse_json(RawEventData).Parameters
| where Parameters has_any("DeleteMessage") or (Parameters has_any("MoveToFolder") and Parameters has_any("Deleted Items","Gelöschte Elemente","Éléments supprimés","Eliminar objetos","Posta eliminata","Itens Excluídos","Archive","Archivar","Archiver","Archivio","Arquivo Morto","アーカイブ","Historique des conversations","Unterhaltungsverlauf","Historial de conversaciones","Cronologia conversazione","Histórico de Conversa","会話の履歴"))
| project Timestamp, ActionType, AccountUpn, AccountObjectId, IPAddress, ISP, Parameters

// credit: Microsoft Defender Threat Intelligence

Deconstructing the KQL query

Read on to understand HOW the query above works.

CloudAppEvents

This is the name of the table you’re querying. In KQL, tables are like spreadsheets or databases where your data is stored.

| where isnotempty(ActionType)

This filter ensures that only rows with a non-empty ActionType field are included. It’s like saying, “Show me only the events where the ActionType is specified.”

| where isnotempty(RawEventData)

Similar to the previous step, this filter ensures that only rows with non-empty RawEventData are considered. We want events with actual data.

| where ActionType in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")

Here, we’re narrowing down the events to only those with specific ActionType values: “New-InboxRule“, “Set-InboxRule“, or “Enable-InboxRule“. These actions all relate to email rules.

| where isnotempty(RawEventData.UserId)

Another filter. We’re making sure that the UserId field is not empty. This helps us focus on events associated with specific users.

| where isnotempty(RawEventData.ObjectId)

Similar to the previous step, we’re checking that the ObjectId field is not empty. This field identifies the object (e.g., an email account) affected by the event.

| extend AccountUpn=tostring(RawEventData.UserId)

We’re creating a new column called AccountUpn and populating it with the string representation of the UserId. This might be the user’s email address (User Principal Name).

| extend Parameters = parse_json(RawEventData).Parameters

Here, we’re parsing the RawEventData (which is likely in JSON format) and extracting the Parameters field. This step prepares us for further filtering based on specific parameters.

| where Parameters has_any("DeleteMessage") or (Parameters has_any("MoveToFolder") and Parameters has_any("Deleted Items","Gelöschte Elemente","Éléments supprimés","Eliminar objetos","Posta eliminata","Itens Excluídos","Archive","Archivar","Archiver","Archivio","Arquivo Morto","アーカイブ","Historique des conversations","Unterhaltungsverlauf","Historial de conversaciones","Cronologia conversazione","Histórico de Conversa","会話の履歴"))

Finally, we’re filtering based on the Parameters field. We’re interested in events where either:

  • The parameter contains “DeleteMessage”.
  • The parameter contains “MoveToFolder” and also contains of of the specific folder names (e.g., “Deleted Items”, “Archive”, etc.).
| project Timestamp, ActionType, AccountUpn, AccountObjectId, IPAddress, ISP, Parameters

In the last step, we’re selecting specific columns to display in the query results. These include the timestamp, action type, user’s UPN, object ID, IP address, ISP, and the relevant parameters.

Reference