Query Details

MDO Hunting - BEC Display-Name Impersonation

MDO 08 BEC Display Name Impersonation

Query

let Execs = dynamic(["CEO Name","CFO Name","Managing Director"]);
let CorpDomains = dynamic(["contoso.com","contoso.es"]);
EmailEvents
| where Timestamp > ago(14d)
| where EmailDirection == "Inbound"
| where SenderDisplayName has_any (Execs)
| where not(SenderFromDomain in~ (CorpDomains))
| project Timestamp, SenderDisplayName, SenderFromAddress, SenderFromDomain,
          RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation
| sort by Timestamp desc

Explanation

This query is designed to detect potential Business Email Compromise (BEC) attempts, specifically targeting emails that impersonate executives within a company. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies inbound emails where the display name of the sender matches that of a company executive, but the sender's domain is not one of the company's official domains. This is a common tactic used in CEO fraud or BEC scams.

  2. Customization: Before using this query, you should customize the list of executive names (Execs) and the list of corporate domains (CorpDomains) to match your organization's specifics.

  3. Data Source: The query uses data from the MicrosoftThreatProtection connector, specifically focusing on EmailEvents.

  4. Detection Logic:

    • It looks at emails received in the last 14 days.
    • It filters for inbound emails where the sender's display name matches any name in the Execs list.
    • It further filters out emails where the sender's domain is not in the CorpDomains list, indicating a potential impersonation.
  5. Output: The query outputs details such as the timestamp, sender's display name, sender's email address and domain, recipient's email address, email subject, and delivery action/location.

  6. Tactics and Techniques: The query is associated with the tactics of Initial Access and Collection, and it relates to techniques T1656 and T1534.

  7. Recommendation: If an email matches these criteria, it is considered a high-confidence fraud lead, and it is recommended to verify the email out-of-band before taking any financial actions.

This query helps organizations proactively identify and respond to potential email-based impersonation threats.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEventsTimestampEmailDirectionSenderDisplayNameSenderFromDomainSenderFromAddressRecipientEmailAddressSubjectDeliveryActionDeliveryLocation

Operators

letdynamicagohas_anynotin~projectsort by

Tactics

InitialAccessCollection

MITRE Techniques

Actions

GitHub