Agent Foskett Academy • Lesson 90 • BEC Investigation

Investigating a Business Email Compromise (BEC) in Microsoft Defender XDR.

One email looked normal.

One sign-in looked successful.

Then the mailbox started behaving differently.

Agent Foskett followed the compromise.

Agent Foskett Academy lesson investigating Business Email Compromise in Microsoft Defender XDR
Lesson overview

Learn how defenders investigate Business Email Compromise by correlating email, identity, mailbox, audit and endpoint evidence across Microsoft Defender XDR.

Start with the reported email or suspicious mailbox activity
Correlate email, identity, mailbox and device telemetry
Identify forwarding rules, sign-ins and suspicious actions
Build the BEC investigation timeline

Why BEC investigations matter

Business Email Compromise is often quiet. The account may use the correct password, pass MFA and operate from a familiar cloud service. The evidence appears when defenders correlate email, sign-in, mailbox and audit activity.
BEC begins with trustThe attacker uses a real mailbox, a real identity and familiar language to make malicious activity look legitimate.
Mailbox behaviour reveals intentInbox rules, forwarding, deleted messages and unusual send patterns can expose what the attacker did after access was gained.
Identity evidence proves accessSign-in telemetry helps determine when the account was accessed, from where, and whether the session looked abnormal.

The BEC investigation workflow

Agent Foskett follows the account compromise from initial email evidence through identity activity, mailbox actions and attacker impact.
1. Identify the affected mailboxStart with the user report, suspicious email, alert or mailbox that appears to be sending unusual messages.
2. Review sign-insCheck successful logons, risky locations, unfamiliar IP addresses, device changes and session activity.
3. Inspect mailbox rulesLook for forwarding, hidden rules, delete rules, move rules and attempts to hide replies or alerts.
4. Review email activityIdentify outbound messages, suspicious recipients, internal phishing and conversation hijacking behaviour.
5. Check OAuth and consentReview whether an attacker granted access to a malicious app or abused delegated permissions.
6. Build the timelinePlace sign-ins, rule creation, email sends, clicks and mailbox actions into a single investigation story.

Step 1 — Identify suspicious outbound email

Start by identifying whether the mailbox sent unusual messages, especially to many recipients or external domains.
step-1-suspicious-outbound-email.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromAddress =~ "user@contoso.com"
| summarize RecipientCount=dcount(RecipientEmailAddress),
            Subjects=make_set(Subject, 10),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp)
  by SenderFromAddress, bin(Timestamp, 1h)
| order by RecipientCount desc

Step 2 — Review suspicious sign-ins

Use identity telemetry to determine whether the account was accessed from unfamiliar locations, devices or IP addresses.
step-2-suspicious-signins.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn =~ "user@contoso.com"
| project Timestamp,
          AccountUpn,
          ActionType,
          IPAddress,
          DeviceName,
          LogonType,
          FailureReason
| order by Timestamp asc

Step 3 — Hunt for suspicious mailbox rules

Mailbox rules are a common BEC technique. Attackers may forward messages, delete alerts or hide replies from the real user.
step-3-mailbox-rules.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where ActionType has_any ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| project Timestamp,
          AccountDisplayName,
          ActionType,
          IPAddress,
          Application,
          RawEventData
| order by Timestamp asc

Step 4 — Identify forwarding or deletion behaviour

Look for mailbox actions that suggest the attacker tried to exfiltrate messages or hide evidence from the mailbox owner.
step-4-forwarding-delete-actions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where RawEventData has_any ("ForwardTo", "RedirectTo", "DeleteMessage", "MoveToFolder")
| project Timestamp,
          AccountDisplayName,
          ActionType,
          IPAddress,
          RawEventData
| order by Timestamp asc

Step 5 — Build the BEC investigation timeline

Combine the strongest evidence into a single timeline so the investigation can explain what happened, when it happened and what the attacker changed.
step-5-bec-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
let TargetUser = "user@contoso.com";
let SignIns = IdentityLogonEvents
| where AccountUpn =~ TargetUser
| project Timestamp, EvidenceType="Identity sign-in", Detail=strcat(ActionType, " from ", IPAddress);
let Emails = EmailEvents
| where SenderFromAddress =~ TargetUser or RecipientEmailAddress =~ TargetUser
| project Timestamp, EvidenceType="Email activity", Detail=strcat(SenderFromAddress, " to ", RecipientEmailAddress, " - ", Subject);
union SignIns, Emails
| order by Timestamp asc

How to read BEC evidence

A BEC investigation should explain access, mailbox manipulation, attacker communication and business impact.
AccessWhich account was accessed, from which IP address, and when did the suspicious activity begin?
Mailbox changesWere forwarding rules, delete rules or move rules created to hide attacker activity?
Email abuseDid the attacker send invoice fraud, internal phishing, payment change requests or malicious links?
ImpactWhich recipients were affected, which emails were sent, and what remediation is required?

Real-world investigation

The reportFinance reported that a supplier received a bank account change request from a real internal mailbox.
The sign-inIdentityLogonEvents showed a successful sign-in from an unfamiliar IP address before the fraudulent email was sent.
The ruleCloudAppEvents recorded an inbox rule that moved supplier replies into a hidden folder.
The emailEmailEvents showed the compromised mailbox sending payment change messages to multiple external contacts.
The conclusionThe account was compromised, the mailbox was manipulated, and the attacker attempted payment redirection fraud.

Investigation checklist

Affected account identifiedConfirm which mailbox and identity were involved.
Sign-ins reviewedCheck IP addresses, devices, geolocation, session context and successful authentication events.
Mailbox rules checkedIdentify forwarding, redirect, delete and move rules.
Outbound emails reviewedConfirm who received suspicious emails and what action they may have taken.
Containment completedReset credentials, revoke sessions, remove malicious rules and review MFA status.
Timeline documentedRecord access, mailbox changes, email sends, impact and response actions.

Related Agent Foskett Academy lessons

Building an Incident TimelinePlace identity, email and endpoint evidence into a single investigation story.
Building an IOC HuntSearch across the environment for indicators linked to the compromise.
Investigating Credential TheftIdentify how credentials may have been stolen or abused.
Building a Complete Phishing InvestigationFollow email delivery, clicks and endpoint evidence during phishing investigations.
Correlating EmailEvents and UrlClickEventsConnect email evidence with user interaction during suspicious message investigations.
Investigating Lateral MovementUnderstand whether compromised credentials were used elsewhere.

Academy milestone

Congratulations. You have reached Lesson 90 of the Agent Foskett Academy.
90 lessons completedFrom your first KQL query to advanced Defender XDR investigations, the Academy now teaches complete investigation workflows.
Advanced investigationsLessons 81 to 90 form a practical incident response block covering lateral movement, PowerShell, ransomware, persistence, IOC hunting, timelines and BEC.
Agent Foskett continuesThe next lessons continue building practical Microsoft Defender XDR skills for real-world defenders.

Coming next

Lesson 91 — Advanced Email Investigation Patterns in Microsoft Defender XDRNext, Agent Foskett Academy continues with deeper email investigation patterns for phishing, BEC, spoofing, attachments and suspicious sender behaviour.
Why this mattersBEC is rarely one event. It is a chain of access, mailbox manipulation, communication and impact that defenders must prove with evidence.

Final thought

A trusted mailbox can become the attacker's best disguise.
Agent Foskett mindsetDo not stop at the suspicious email. Follow the account, the mailbox, the rules, the sign-ins and the business impact.
The mailbox told the storyWhen email, identity and audit evidence are placed in order, the BEC investigation becomes clear.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating a Business Email Compromise in Microsoft Defender XDR

Agent Foskett Academy Lesson 90 teaches defenders how to investigate Business Email Compromise in Microsoft Defender XDR.

BEC investigation workflow

This lesson explains how EmailEvents, IdentityLogonEvents, CloudAppEvents, mailbox rules, outbound email activity, sign-in evidence and investigation timelines help defenders reconstruct Business Email Compromise incidents.