Business Email Compromise - Financial Fraud

Business Email Compromise - Financial Fraud Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.10
Author	Microsoft - support@microsoft.com
First Published	2023-08-04
Solution Folder	Business Email Compromise - Financial Fraud
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)
Pre-requisites	Microsoft Entra ID, Microsoft 365, Amazon Web Services, Microsoft Defender XDR, Okta Single Sign-On

Business Email Compromise (BEC) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.

This content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage Microsoft Defender XDR provides across Microsoft Defender products.

In order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:

Microsoft Entra ID solution for Sentinel
Microsoft 365 solution for Sentinel
Amazon Web Services
Microsoft Defender XDR
Okta Single Sign On

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 5 other solution(s):

Solution
Amazon Web Services
Microsoft 365
Microsoft Defender XDR
Microsoft Entra ID
Okta Single Sign-On

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Amazon Web Services (dependency on Amazon Web Services)
Amazon Web Services S3 (dependency on Amazon Web Services)
Amazon Web Services S3 WAF (dependency on Amazon Web Services)
Microsoft Entra ID (dependency on Microsoft Entra ID)
Microsoft Defender XDR (dependency on Microsoft Defender XDR)
Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
[DEPRECATED] Okta Single Sign-On (using Azure Function) (dependency on Okta Single Sign-On)
Okta Single Sign-On (Polling CCP) (dependency on Okta Single Sign-On)
Okta Single Sign-On (via Codeless Connector Framework) (dependency on Okta Single Sign-On)
Okta Single Sign-On (using Azure Functions) (dependency on Okta Single Sign-On)

Tables Used

This solution queries 6 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Analytics
`AuditLogs`	Analytics, Hunting
`AwsBucketAPILogs_CL`	Hunting
`EmailEvents`	Hunting
`OfficeActivity`	Analytics, Hunting
`SigninLogs`	Hunting

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Content
`BehaviorAnalytics`	Hunting
`IdentityInfo`	Analytics, Hunting

Content Items

This solution includes 20 content item(s):

Content Type	Count
Hunting Queries	13
Analytic Rules	7

Analytic Rules

Name	Severity	Tactics	Tables Used
Account Elevated to New Role	Medium	Persistence	`AuditLogs`
Authentication Method Changed for Privileged Account	High	Persistence	`AuditLogs` Internal use: `IdentityInfo`
Malicious BEC Inbox Rule	Medium	Persistence, DefenseEvasion	`OfficeActivity`
Privileged Account Permissions Changed	Medium	PrivilegeEscalation	`AuditLogs` Internal use: `IdentityInfo`
Suspicious access of BEC related documents	Medium	Collection	-
Suspicious access of BEC related documents in AWS S3 buckets	Medium	Collection	`AWSCloudTrail`
User Added to Admin Role	Low	PrivilegeEscalation	`AuditLogs`

Hunting Queries

Name	Tactics	Tables Used
Email Forwarding Configuration with SAP download	InitialAccess, Collection, Exfiltration	`EmailEvents` `OfficeActivity`
High count download from a SAP Privileged account	InitialAccess, Exfiltration	-
Login attempts using Legacy Auth	InitialAccess, Persistence	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
Microsoft Entra ID signins from new locations	InitialAccess	`SigninLogs` Internal use: `IdentityInfo`
Office Mail Rule Creation with suspicious archive mail move activity	Collection, Exfiltration	`OfficeActivity`
Risky Sign-in with new MFA method	Persistence	`AuditLogs` `SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
S3 Bucket outbound Data transfer anomaly	Exfiltration	`AwsBucketAPILogs_CL`
Successful Signin From Non-Compliant Device	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
Suspicious Data Access to S3 Bucket from Unknown IP	Collection	-
User Accounts - New Single Factor Auth	InitialAccess	Internal use: `BehaviorAnalytics`
User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.	InitialAccess	`SigninLogs` Internal use: `IdentityInfo`
User Login IP Address Teleportation	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
User detection added to privilege groups based in Watchlist	Reconnaissance, PrivilegeEscalation	`AuditLogs`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.10	10-11-2025	Update in Analytical Rule alert description
3.0.9	05-06-2024	Analytical Rule description updated
3.0.8	04-04-2024	Updated Entity Mappings
3.0.7	28-02-2024	Removed usage of BlastRadius from Hunting Queries
3.0.6	16-02-2024	Updated the solution to fix Analytic Rules deployment issue
3.0.5	08-02-2024	Tagged for dependent solutions for deployment
3.0.4	10-01-2024	Updated Analytic Rule (AuthenticationMethodChangedforPrivilegedAccount.yaml)
3.0.3	23-11-2023	Updated description of Hunting query
3.0.2	06-11-2023	Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR
3.0.1	03-11-2023	Updated Analytic Rule datatype and descriptions for Hunting queries
3.0.0	07-08-2023	Initial Solution Release