Deploy Email & BEC Detection Rules

45-60 minutes Modules: Module 2, Module 4

Objective

Deploy 4 email detection rules from Module 4 (Building Email & Collaboration Detections): DET-SOC-008 (inbox forwarding), DET-SOC-009 (evasion rules), DET-SOC-011 (bulk mailbox access), and DET-SOC-014 (BEC outbound email). These form the core BEC detection chain — catching each stage from persistence through fraud execution.

Required: Microsoft Sentinel with OfficeActivity and EmailEvents tables populated. Exchange Online connector enabled.

Step 1: Create the OrganisationDomains watchlist

DET-SOC-008 and DET-SOC-010 reference an OrganisationDomains watchlist to distinguish internal from external forwarding destinations.

Navigate to: Sentinel → Watchlist → Add new

Field	Value
Name	OrganisationDomains
Alias	OrganisationDomains
Source type	Local file (CSV)
SearchKey	Domain

Upload a CSV with your organisation’s email domains:

1
2
3
Domain,Type
northgateeng.com,Primary
northgate-engineering.co.uk,Secondary

Replace with your actual domains. Include every domain that should be considered “internal” — primary, secondary, subsidiaries, and any vanity domains used for marketing email.

Verification:

1
2
_GetWatchlist('OrganisationDomains')
| project Domain, Type

If this returns your domains, the watchlist is ready. If it returns an error, check the alias name matches exactly.

Step 2: Verify data sources are populated

Before deploying rules, confirm the required tables have data:

1
2
3
4
5
6
union
    (OfficeActivity | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="OfficeActivity"),
    (EmailEvents | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="EmailEvents")
| project Table, Count

Both tables must show counts greater than zero. If OfficeActivity is empty, the Office 365 connector in Sentinel needs to be enabled and configured to ingest Exchange events. If EmailEvents is empty, the Microsoft Defender XDR connector needs email event collection enabled.

Step 3: Deploy DET-SOC-008 — Inbox Forwarding to External Domain

Navigate to: Sentinel → Analytics → Create → Scheduled query rule

Field	Value
Name	DET-SOC-008: Inbox forwarding rule to external domain
Severity	High
MITRE ATT&CK	Collection → T1114.003 (Email Forwarding Rule)
Run query every	5 minutes
Lookup data from the last	1 hour

Paste the KQL from Module 4, subsection 4.2.

Entity mapping:

Entity type	Identifier	Field
Account	FullName	UserId
IP	Address	ClientIP

Alert grouping: Group by Account entity within 24 hours.

Step 4: Deploy DET-SOC-009 — Evasion Rules

This rule detects inbox rules designed to hide adversary activity — rules that move, delete, or mark as read specific emails (typically the phishing reply chain or vendor communications the adversary is intercepting).

Field	Value
Name	DET-SOC-009: Inbox rule created with evasion characteristics
Severity	High
MITRE ATT&CK	Defense Evasion → T1564.008 (Email Hiding Rules)
Run query every	5 minutes
Lookup data from the last	1 hour

Paste the KQL from Module 4, subsection 4.3.

Step 5: Deploy DET-SOC-011 — Bulk Mailbox Access

This rule detects an adversary reading large volumes of email — the reconnaissance phase of BEC where the adversary studies communication patterns, identifies payment processes, and selects impersonation targets.

Field	Value
Name	DET-SOC-011: Bulk mailbox access exceeding baseline
Severity	Medium
MITRE ATT&CK	Collection → T1114.002 (Remote Email Collection)
Run query every	15 minutes
Lookup data from the last	1 hour

This rule uses a baseline comparison. During the first 14 days after deployment, the rule establishes each user’s normal MailItemsAccessed volume. Alerts trigger only when a user exceeds their personal baseline by the configured multiplier.

Step 6: Deploy DET-SOC-014 — BEC Outbound Email

This rule catches the adversary executing the fraud — sending email as the compromised user to redirect payments, request wire transfers, or exfiltrate data via email attachment.

Field	Value
Name	DET-SOC-014: Suspicious outbound email indicating BEC execution
Severity	High
MITRE ATT&CK	Impact → T1657 (Financial Theft)
Run query every	5 minutes
Lookup data from the last	1 hour

Step 7: Validate the BEC detection chain

With all 4 rules deployed, verify each is running:

1
2
3
4
5
6
SentinelAudit
| where TimeGenerated > ago(1h)
| where Description has_any ("DET-SOC-008", "DET-SOC-009", 
    "DET-SOC-011", "DET-SOC-014")
| project TimeGenerated, Description, Status
| sort by TimeGenerated desc

All 4 should show “Success” within the last 15 minutes. Together they cover the complete BEC lifecycle:

DET-SOC-008 → adversary establishes email forwarding (exfiltration)
DET-SOC-009 → adversary hides evidence of the compromise
DET-SOC-011 → adversary reads email to study payment processes
DET-SOC-014 → adversary sends the fraud email

Verification checklist

OrganisationDomains watchlist created and verified
OfficeActivity and EmailEvents tables confirmed populated
4 email detection rules deployed and enabled
All rules executing successfully in Sentinel Audit
Entity mapping configured for each rule
MITRE ATT&CK tagging applied to all rules

Next step

Continue deploying the remaining 3 email rules from Module 4 (DET-SOC-010, DET-SOC-012, DET-SOC-013). Then proceed to Lab 08 for endpoint detection deployment (Module 5) and Lab 09 for cloud detection deployment (Module 6).

← All Labs