MDO Hunting - Suspicious Inbox Rule After Phishing Click
MDO 25 Suspicious Inbox Rule After Click
Query
let Clickers =
UrlClickEvents
| where Timestamp > ago(3d)
| where ThreatTypes has_any ("Phish", "Malware") or IsClickedThrough != ""
| summarize ClickTime = min(Timestamp) by AccountUpn
| where isnotempty(AccountUpn);
CloudAppEvents
| where Timestamp > ago(3d)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend Rule = tostring(RawEventData.Parameters)
| where Rule has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo",
"DeleteMessage", "MarkAsRead", "MoveToFolder")
| extend Upn = tolower(AccountDisplayName)
| join kind=inner (Clickers | extend Upn = tolower(AccountUpn)) on Upn
| where Timestamp between (ClickTime .. ClickTime + 6h)
| project Timestamp, AccountUpn, ClickTime, ActionType, Rule, IPAddress, Application
| sort by Timestamp descExplanation
This query is designed to detect suspicious activity in email accounts, specifically focusing on potential Business Email Compromise (BEC) scenarios. Here's a simple breakdown of what it does:
-
Objective: The query aims to identify cases where a user clicks on a malicious link (phishing or malware) and shortly afterward, an inbox rule is created that could be used to hide the attacker's activities. These rules might forward, redirect, delete, or mark emails as read.
-
Data Sources: It uses data from Microsoft Threat Protection, specifically looking at
UrlClickEvents(to track when and what links are clicked) andCloudAppEvents(to track changes in inbox rules). -
Process:
- Identify Clickers: It first identifies users who have clicked on malicious links in the past three days.
- Track Inbox Rule Changes: It then looks for any changes to inbox rules within the same timeframe.
- Correlate Events: The query correlates these two events by matching the user accounts and checks if the rule changes occurred within six hours after the malicious link was clicked.
-
Output: The results include details like the timestamp of the rule change, the user's account, the type of action taken, the specific rule set, the IP address involved, and the application used.
-
Response: If such activity is detected, it suggests a high likelihood of account takeover. The recommended actions include removing the suspicious rule, resetting the user's credentials, and revoking active sessions to secure the account.
Overall, this query helps security teams quickly identify and respond to potential email account compromises by correlating suspicious link clicks with subsequent inbox rule changes.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics