Query Details

MDO — Suspicious Inbox Rule After Phishing Click

MDO AR 04 Inbox Rule After Click

Query

let Clickers =
    UrlClickEvents
    | where Timestamp > ago(3h)
    | where ThreatTypes has_any ("Phish", "Malware") or (isnotempty(IsClickedThrough) and IsClickedThrough != "0")
    | summarize ClickTime = min(Timestamp) by AccountUpn
    | where isnotempty(AccountUpn);
CloudAppEvents
| where Timestamp > ago(3h)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend Rule = tostring(RawEventData.Parameters)
| where Rule has_any ("ForwardTo", "RedirectTo", "ForwardAsAttachmentTo", "DeleteMessage", "MarkAsRead", "MoveToFolder")
| extend Upn = tolower(AccountDisplayName)
| join kind=inner (Clickers | extend Upn = tolower(AccountUpn)) on Upn
| where Timestamp between (ClickTime .. ClickTime + 6h)
| project Timestamp, ReportId, AccountUpn, ClickTime, ActionType, Rule, IPAddress

Explanation

This query is designed to detect potential Business Email Compromise (BEC) incidents by identifying suspicious behavior following a phishing attack. Here's a simple breakdown:

  1. Purpose: The query looks for users who have clicked on a malicious link and then created or modified an email inbox rule that could indicate malicious intent, such as forwarding or deleting emails.

  2. Data Sources: It uses data from two sources:

    • UrlClickEvents: Tracks when users click on links, specifically looking for clicks on links identified as phishing or malware.
    • CloudAppEvents: Monitors actions related to email inbox rules, such as creating or updating rules.
  3. Time Frame: The query examines events within the last 3 hours and correlates them with inbox rule changes within 6 hours after the click.

  4. Detection Logic:

    • It first identifies users who clicked on a malicious link.
    • Then, it checks if these users created or modified inbox rules that could hide or redirect emails.
    • The query matches these two sets of data to find users who performed both actions within a short time frame.
  5. Severity and Response: The severity of this alert is high, indicating a strong signal of potential account takeover. If such behavior is detected, an incident is created, and the alert suggests removing the rule and securing the account.

  6. Alert Details: The alert provides details such as the type of inbox rule created, the user's account information, and the IP address from which the action was performed.

  7. Incident Management: The query is configured to create incidents for detected cases, with options to group related alerts by account for easier management.

Overall, this query helps security teams quickly identify and respond to potential email account compromises following phishing attacks.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

UrlClickEventsCloudAppEvents

Keywords

UrlClickEventsCloudAppEventsAccountUpnIPAddressAccountDisplayNameRawEventDataParameters

Operators

letwherehas_anyisnotemptysummarizeminbyintostringextendjoinkind=innerbetweenprojectagotolower

Severity

High

Tactics

CollectionDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: PT3H

Actions

GitHub