Investigating a Business Email Compromise (BEC) in Microsoft Defender XDR.
One email looked normal.
One sign-in looked successful.
Then the mailbox started behaving differently.
Agent Foskett followed the compromise.
Lesson overview
Learn how defenders investigate Business Email Compromise by correlating email, identity, mailbox, audit and endpoint evidence across Microsoft Defender XDR.
Why BEC investigations matter
The BEC investigation workflow
Step 1 — Identify suspicious outbound email
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromAddress =~ "user@contoso.com"
| summarize RecipientCount=dcount(RecipientEmailAddress),
Subjects=make_set(Subject, 10),
FirstSeen=min(Timestamp),
LastSeen=max(Timestamp)
by SenderFromAddress, bin(Timestamp, 1h)
| order by RecipientCount desc
Step 2 — Review suspicious sign-ins
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn =~ "user@contoso.com"
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
DeviceName,
LogonType,
FailureReason
| order by Timestamp asc
Step 3 — Hunt for suspicious mailbox rules
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where ActionType has_any ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| project Timestamp,
AccountDisplayName,
ActionType,
IPAddress,
Application,
RawEventData
| order by Timestamp asc
Step 4 — Identify forwarding or deletion behaviour
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where RawEventData has_any ("ForwardTo", "RedirectTo", "DeleteMessage", "MoveToFolder")
| project Timestamp,
AccountDisplayName,
ActionType,
IPAddress,
RawEventData
| order by Timestamp asc
Step 5 — Build the BEC investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
let TargetUser = "user@contoso.com"; let SignIns = IdentityLogonEvents | where AccountUpn =~ TargetUser | project Timestamp, EvidenceType="Identity sign-in", Detail=strcat(ActionType, " from ", IPAddress); let Emails = EmailEvents | where SenderFromAddress =~ TargetUser or RecipientEmailAddress =~ TargetUser | project Timestamp, EvidenceType="Email activity", Detail=strcat(SenderFromAddress, " to ", RecipientEmailAddress, " - ", Subject); union SignIns, Emails | order by Timestamp asc
How to read BEC evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Academy milestone
Coming next
Final thought
Investigating a Business Email Compromise in Microsoft Defender XDR
Agent Foskett Academy Lesson 90 teaches defenders how to investigate Business Email Compromise in Microsoft Defender XDR.
BEC investigation workflow
This lesson explains how EmailEvents, IdentityLogonEvents, CloudAppEvents, mailbox rules, outbound email activity, sign-in evidence and investigation timelines help defenders reconstruct Business Email Compromise incidents.
