Sign In

DE0.2 CHAIN-HARVEST: AiTM to BEC

2-3 hours · Module 0 · Free
Operational Objective
The Theory-to-Reality Gap: DE0.1 showed the coverage percentage. This subsection makes it concrete. You will walk through CHAIN-HARVEST — a five-phase AiTM credential theft and BEC attack — against Northgate Engineering's 23 analytics rules and watch every phase execute without triggering a single alert until the damage is done. The attack is not exotic. It uses commodity tooling (EvilProxy), common tactics, and targets a finance team member. The detection failure is not because the data is missing — every phase generates telemetry in the workspace. The failure is because no rule looks at that telemetry in the right way.
Deliverable: A concrete understanding of how multi-phase attacks exploit detection gaps, and the specific rule types that would have caught each phase — the rules you will build in DE3, DE4, DE5, and DE7.
⏱ Estimated completion: 25 minutes

CHAIN-HARVEST: the attack

Monday, 09:14 UTC. Sarah Chen (s.chen@northgateeng.com), Finance Analyst at Northgate Engineering’s Bristol headquarters, receives an email. The sender appears to be DocuSign — a service Northgate uses routinely for contract signatures with manufacturing clients. The email contains a link to review and sign a purchase order from a known supplier.

The email passed Defender for Office 365 scanning. Safe Links evaluated the URL at delivery time — it pointed to a legitimate-looking landing page hosted on a compromised WordPress site. Safe Attachments found no attachment to detonate. The anti-phishing policy checked the sender domain against impersonation protection lists — the sender was not impersonating a Northgate executive, it was impersonating DocuSign, which is not in the impersonation protection scope. The email landed in Sarah’s inbox with no warnings.

Sarah clicked the link. The landing page redirected through two intermediary domains to an EvilProxy reverse proxy presenting a pixel-perfect Microsoft sign-in page. Sarah entered her credentials and completed the MFA push notification on her Authenticator app. She believed she was signing into Microsoft 365 to access the DocuSign document. She was. But the EvilProxy proxy sat between her browser and Microsoft’s authentication endpoint, capturing the session token issued after successful MFA.

The attacker now holds Sarah’s valid session token. No password was stolen — the session token bypasses both the password and MFA for its remaining lifetime.

CHAIN-HARVEST — ATTACK TIMELINE vs DETECTION RULES09:14 — PHASE 1: PHISHING EMAILEvilProxy link delivered to s.chen. Bypasses Safe Links, Safe Attachments, anti-phishing.Data: EmailEvents, EmailUrlInfo | NE rules that query this data: 1 (template: "phishing email detected by MDO") | Fires? NO — MDO did not flag it09:17 — PHASE 2: CREDENTIAL CAPTUREAiTM proxy captures session token after MFA completion. Sign-in from proxy IP (residential, same country).Data: SigninLogs (anomalous sessionId, deviceDetail mismatch) | NE rules: 2 (impossible travel, risky sign-in) | Fires? NO — same country, medium risk only09:24 — PHASE 3: PERSISTENCE (INBOX RULE)Attacker creates inbox rule: move emails containing "invoice" or "payment" to RSS Subscriptions folder.Data: OfficeActivity (New-InboxRule) | NE rules: 1 (suspicious inbox rule — template) | Fires? NO — rule checks forwarding only, not folder moves09:31–12:45 — PHASE 4: EMAIL COLLECTIONAttacker reads 3 months of email via Outlook Web. MailItemsAccessed (Bind) events recorded.Data: OfficeActivity (MailItemsAccessed) | NE rules: 0 | Fires? NO — no rule queries MailItemsAccessed13:02 — PHASE 5: BEC (FINANCIAL FRAUD)Attacker sends email to s.whitfield (CFO) requesting urgent wire transfer to "updated" supplier account.Data: EmailEvents (internal-to-internal, financial keywords) | NE rules: 0 | Fires? NO — no BEC detection rule existsRESULT: 0 of 23 rules fired across 5 attack phases3 hours 48 minutes of undetected attacker activity — detected only when CFO questions the wire transferNO ALERTS

Figure DE0.2 — CHAIN-HARVEST attack timeline mapped against Northgate Engineering's 23 analytics rules. Every phase generates telemetry. No rule fires.

Phase-by-phase: why each detection failed

Phase 1 — Phishing email. Northgate has one template rule for phishing: “Phishing email detected by Microsoft Defender for Office 365.” This is a pass-through rule — it creates a Sentinel incident when Defender for Office 365 flags an email as phishing. If Defender does not flag it, the rule does not fire. The rule does not independently analyze EmailEvents or EmailUrlInfo. It depends entirely on Defender’s verdict. Defender’s verdict was “clean” because the URL pointed to a compromised legitimate site that was not yet in Microsoft’s threat intelligence feeds. A detection engineer would build a rule that queries EmailUrlInfo for URL patterns associated with AiTM proxy infrastructure — newly registered domains, specific URL path structures, redirect chains — independent of Defender’s verdict.

Phase 2 — Credential capture via AiTM. Northgate has two identity rules: impossible travel and risky sign-in. The impossible travel rule did not fire because the attacker used a residential proxy IP in the same country as Sarah — London, 120 miles from Bristol. The sign-in appeared as a normal remote access event. The risky sign-in rule fires only on High risk sign-ins as classified by Entra ID Protection. Entra ID Protection classified the sign-in as Medium risk (unfamiliar sign-in properties) — the rule’s threshold is High. A detection engineer would build a rule that detects session token anomalies: the sign-in occurs on a device the user has never used before, the browser fingerprint does not match her baseline, and the non-interactive token refresh occurs from a different IP than the interactive sign-in that created the session. These signals exist in SigninLogs and AADNonInteractiveUserSignInLogs. No rule queries them.

Phase 3 — Inbox rule persistence. Northgate’s inbox rule template fires on rules that forward email to external addresses. The attacker did not create a forwarding rule — forwarding rules are well-known indicators of compromise and sophisticated attackers avoid them. Instead, the attacker created a rule that moves emails matching financial keywords to the RSS Subscriptions folder — a folder most users never check. This hides the emails from Sarah so she does not see the CFO’s responses to the fraudulent wire transfer request. The template rule does not detect folder-move rules because it was not designed for this variant. A detection engineer would build a rule that detects any inbox rule creation from a session that has identity risk signals, regardless of the rule’s action type.

Phase 4 — Email collection. No rule exists. Northgate has zero analytics rules that query OfficeActivity for MailItemsAccessed events. The attacker read three months of Sarah’s email over a three-hour period. The access pattern — hundreds of MailItemsAccessed events with OperationType “Bind” from a single session within a short window — is highly anomalous. Sarah’s normal email access pattern is 20-40 Bind events per day spread across working hours. The attacker generated 400+ in three hours. The data exists in the workspace. No rule looks at it. A detection engineer would build a rule that baselines per-user MailItemsAccessed volume and fires when a session exceeds the baseline by a configurable multiple.

Phase 5 — BEC wire fraud. No rule exists. Northgate has zero analytics rules that detect business email compromise patterns — emails from internal accounts containing financial keywords (wire transfer, bank account, payment details, routing number) sent to executives or finance staff. The attacker sent the fraudulent wire transfer request from Sarah’s legitimate mailbox to the CFO. From the email system’s perspective, this is a normal internal email. A detection engineer would build a rule that detects the pattern: recent identity risk signal on the sender’s account + email to finance/executive recipients + financial keywords in the subject or body. This cross-source correlation — identity risk in SigninLogs joined with email content in EmailEvents — is exactly the kind of detection that templates do not provide because it requires environment-specific entity definitions.

⚠ Compliance Myth: "If Defender for Office 365 did not catch the phishing email, there is nothing we could have done"

The myth: Email security is a prevention control. If the email bypasses prevention (Safe Links, Safe Attachments, anti-phishing), detection starts at the sign-in layer. There is no second chance at the email layer.

The reality: EmailEvents and EmailUrlInfo are queryable in Advanced Hunting and ingestible into Sentinel. Detection rules can query these tables for patterns that Safe Links does not check — URL redirect depth, domain age, specific AiTM proxy URL structures, mismatches between display sender and envelope sender that bypass impersonation protection. These are not prevention rules (the email has already been delivered). They are post-delivery detection rules that alert the SOC to investigate before the user clicks, or immediately after. Zero-hour Purge (ZAP) can then remove the email retroactively. The detection engineer adds a detection layer that the prevention engine does not provide.

The detection rules that would have caught it

Each phase of CHAIN-HARVEST had a detection opportunity — not with exotic technology, but with KQL queries against data already in the Sentinel workspace. These are the rules you will build in this course:

Phase 1 detection (DE3): A rule querying EmailUrlInfo for emails containing URLs with characteristics of AiTM proxy infrastructure — redirect chains through recently registered domains, specific URL path patterns known to be associated with EvilProxy and Tycoon 2FA kits, and mismatches between the displayed URL text and the actual URL destination.

Phase 2 detection (DE4): A rule querying SigninLogs and AADNonInteractiveUserSignInLogs for session token anomalies — interactive sign-in from an unrecognized device followed by non-interactive token refresh from a different IP within 30 minutes. This detects the AiTM pattern regardless of the sign-in risk classification.

Phase 3 detection (DE5): A rule querying OfficeActivity for New-InboxRule or Set-InboxRule events where the creating session has any identity risk signal (medium or high risk sign-in, unfamiliar sign-in properties, anonymous IP) within the preceding 60 minutes. This catches inbox rule persistence regardless of the rule’s action type.

Phase 4 detection (DE7): A rule querying OfficeActivity for MailItemsAccessed volume anomalies — sessions where the Bind event count exceeds the user’s 30-day baseline by more than 5x within a rolling 4-hour window. This detects bulk email reading whether the attacker uses OWA, Graph API, or EWS.

Phase 5 detection (DE7): A rule joining SigninLogs (recent risk signal on the sender) with EmailEvents (internal email containing financial keywords sent to finance or executive distribution lists). This cross-source correlation detects BEC attempts originating from compromised internal accounts.

Five rules. Five KQL queries. Each one queries data that already exists in the workspace. Each one would have generated an alert within minutes of the corresponding attack phase. The earliest detection (Phase 1) would have alerted the SOC before Sarah even clicked the link. The latest detection (Phase 5) would have alerted the SOC before the CFO authorized the wire transfer.

Try it yourself

Exercise: Map your own rules against CHAIN-HARVEST

Review your Sentinel analytics rules. For each of the 5 CHAIN-HARVEST phases, determine whether you have a rule that would fire. Not a rule that queries the same table — a rule that would detect the specific attack variant described. Would your inbox rule detection catch a folder-move rule (not just forwarding)? Would your identity rule catch a same-country AiTM sign-in classified as medium risk? Would your email rule catch BEC from a compromised internal account?

If you find gaps, note them. Those gaps are your detection backlog priorities.

The attacker’s perspective: why this works

The attacker did not use a zero-day exploit. They did not deploy custom malware. They did not compromise a domain controller or move laterally to servers. Every tool and technique in CHAIN-HARVEST is commodity: EvilProxy is sold as a phishing-as-a-service platform. The BEC playbook is well-documented. The inbox rule persistence is a standard technique used by thousands of threat actors.

The attacker succeeds not because the techniques are sophisticated, but because the detection is absent. The attacker knows that most organizations detect what their vendor detects — and nothing more. If Defender does not flag the email, no one looks at it. If Entra ID Protection does not classify the sign-in as high risk, no one investigates it. If no rule queries MailItemsAccessed, the bulk email reading is invisible. The attacker operates in the space between what the vendor catches and what the SOC monitors.

Detection engineering closes that space. Every rule you build in this course is designed to detect techniques that vendor tooling misses — not because the vendor is bad, but because the vendor builds for the general case and your attacker targets the specific case. Your environment, your users, your risk profile, your data patterns. The detection engineer writes rules for that specificity.

Check your understanding

The CHAIN-HARVEST attacker used a residential proxy IP in the same country as the victim. Why did this defeat the impossible travel detection rule?

Answer: Impossible travel rules detect sign-ins from two geographic locations that are physically impossible to travel between in the time elapsed. A residential proxy in the same country (London, 120 miles from Bristol) does not trigger impossible travel — the distance and time are plausible for normal travel. The rule is designed for geographic anomalies, not for session token theft from nearby locations. The detection gap is that AiTM attacks from same-country proxies require session-based detection (device fingerprint mismatch, IP change on non-interactive token refresh) rather than location-based detection.

This is one attack chain. There are five more.

CHAIN-HARVEST targets the identity and email layer. CHAIN-MESH targets lateral movement across the SD-WAN. CHAIN-ENDPOINT targets endpoints and the crown jewels. CHAIN-PRIVILEGE targets insider PIM abuse. CHAIN-DRIFT exploits a configuration change window. CHAIN-FACTORY targets physical access. DE0.6 introduces all six. Modules DE3 through DE8 build the detection rules that catch them.

Troubleshooting: “We have a managed SOC — wouldn’t they catch this?”

The managed SOC triages alerts from your rules. If your rules do not fire, the managed SOC has nothing to triage. They are an operational resource — they monitor, investigate, and escalate the alerts your detection library generates. If your detection library covers 10.3% of techniques, the managed SOC monitors 10.3% of techniques. The other 89.7% is not their gap to close — it is yours.

Some managed SOC providers offer “content development” or “custom detection” services. If this is contracted and active, verify what they have built. Request the full list of custom analytics rules, their ATT&CK mappings, and the date each was last tuned. If the custom rules are template-based or have not been tuned in 6+ months, the effective coverage may be lower than the contracted coverage.

The relationship is complementary, not substitutive. You build the detection library. They operationalize it 24/7. This course teaches the building. The managed SOC handles the operating.

📋 Operational Artifact — Attack Chain Detection Gap Analysis

Attack chain: CHAIN-HARVEST (AiTM → BEC → Financial Fraud)

Phase 1 — Phishing email: Rule exists? [Y/N] — Fires on this variant? [Y/N] — Gap: ___

Phase 2 — Credential capture: Rule exists? [Y/N] — Fires on this variant? [Y/N] — Gap: ___

Phase 3 — Inbox rule persistence: Rule exists? [Y/N] — Fires on this variant? [Y/N] — Gap: ___

Phase 4 — Email collection: Rule exists? [Y/N] — Fires on this variant? [Y/N] — Gap: ___

Phase 5 — BEC wire fraud: Rule exists? [Y/N] — Fires on this variant? [Y/N] — Gap: ___

Earliest possible detection point: Phase ___ with rule: ___

Current detection point: Phase ___ (or none)

Dwell time (current): ___ hours | Dwell time (with detection): ___ minutes

References used in this subsection

  • CHAIN-HARVEST attack chain specification (course blueprint)
  • Course cross-references: DE3 (initial access detection), DE4 (credential attack detection), DE5 (persistence detection), DE7 (collection and exfiltration detection)

CHAIN-HARVEST detection timeline: what fires and what does not

1
2
3
4
5
6
7
8

// CHAIN-HARVEST gap analysis: which tables contain the attack telemetry?
// Run each query  non-zero results confirm the DATA exists even if no RULE fires
SigninLogs | where TimeGenerated > ago(1d) | summarize Count = count() | project Table = "SigninLogs", Count
| union (EmailEvents | where TimeGenerated > ago(1d) | summarize Count = count() | project Table = "EmailEvents", Count)
| union (OfficeActivity | where TimeGenerated > ago(1d) | summarize Count = count() | project Table = "OfficeActivity", Count)
| union (DeviceLogonEvents | where TimeGenerated > ago(1d) | summarize Count = count() | project Table = "DeviceLogonEvents", Count)
// If all tables return data: the TELEMETRY for CHAIN-HARVEST detection exists.
// The gap is not data  it is RULES.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Detection Engineering

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← DE0.1 The Detection Coverage Illusion DE0.3 CHAIN-MESH: Ransomware Across the SD-WAN →