MDO Hunting - BEC Display-Name Impersonation
MDO 08 BEC Display Name Impersonation
Query
let Execs = dynamic(["CEO Name","CFO Name","Managing Director"]);
let CorpDomains = dynamic(["contoso.com","contoso.es"]);
EmailEvents
| where Timestamp > ago(14d)
| where EmailDirection == "Inbound"
| where SenderDisplayName has_any (Execs)
| where not(SenderFromDomain in~ (CorpDomains))
| project Timestamp, SenderDisplayName, SenderFromAddress, SenderFromDomain,
RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation
| sort by Timestamp descExplanation
This query is designed to detect potential Business Email Compromise (BEC) attempts, specifically targeting emails that impersonate executives within a company. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies inbound emails where the display name of the sender matches that of a company executive, but the sender's domain is not one of the company's official domains. This is a common tactic used in CEO fraud or BEC scams.
-
Customization: Before using this query, you should customize the list of executive names (
Execs) and the list of corporate domains (CorpDomains) to match your organization's specifics. -
Data Source: The query uses data from the
MicrosoftThreatProtectionconnector, specifically focusing onEmailEvents. -
Detection Logic:
- It looks at emails received in the last 14 days.
- It filters for inbound emails where the sender's display name matches any name in the
Execslist. - It further filters out emails where the sender's domain is not in the
CorpDomainslist, indicating a potential impersonation.
-
Output: The query outputs details such as the timestamp, sender's display name, sender's email address and domain, recipient's email address, email subject, and delivery action/location.
-
Tactics and Techniques: The query is associated with the tactics of Initial Access and Collection, and it relates to techniques T1656 and T1534.
-
Recommendation: If an email matches these criteria, it is considered a high-confidence fraud lead, and it is recommended to verify the email out-of-band before taking any financial actions.
This query helps organizations proactively identify and respond to potential email-based impersonation threats.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics