13.6 Wave 1: Post-Compromise Activity
2–3 hours · Module 13
Post-Compromise Activity
The attacker had 25 minutes of access to j.morrison’s account. You need to determine everything they did during that window. The standard post-compromise checklist has six items: inbox rules, mail forwarding, OAuth grants, email access, file access, and lateral phishing.
Check 1: Inbox rules
Attackers create inbox rules to hide evidence — deleting or redirecting emails that contain keywords like “security”, “password reset”, “unusual sign-in.”
1
2
3
4
5
6
7
| CloudAppEvents
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where AccountDisplayName has "morrison"
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")
| extend Parameters = tostring(RawEventData.Parameters)
| project TimeGenerated, ActionType, Parameters, IPAddress, City
| sort by TimeGenerated asc
|
Result: One new inbox rule created at 09:25 from the attacker IP (203.0.113.45):
- Rule name: “Security notifications”
- Condition: Subject or body contains “security” OR “password” OR “unusual” OR “sign-in” OR “compromised”
- Action: Move to Deleted Items
This rule actively hinders your investigationWhile this rule is active, any password reset confirmation, security alert, or "unusual sign-in detected" notification is automatically moved to Deleted Items. The user never sees the warnings about their compromised account. This is why inbox rule checks must happen before user notification — if you send the user an email saying "your account was compromised", the inbox rule deletes it.
Check 2: Mail forwarding
1
2
3
4
5
6
| CloudAppEvents
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where AccountDisplayName has "morrison"
| where ActionType == "Set-Mailbox"
| where tostring(RawEventData.Parameters) has_any ("ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward")
| project TimeGenerated, ActionType, tostring(RawEventData.Parameters), IPAddress
|
Result: No forwarding rules configured. The attacker used inbox rules (intra-mailbox) rather than forwarding (external). This is increasingly common — forwarding to external addresses is a well-known detection signal, so sophisticated attackers avoid it.
Check 3: OAuth application grants
1
2
3
4
5
| AuditLogs
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where OperationName has_any ("Consent to application", "Add app role assignment", "Add OAuth2PermissionGrant")
| where InitiatedBy has "morrison"
| project TimeGenerated, OperationName, tostring(TargetResources), tostring(AdditionalDetails)
|
Result: No OAuth consents. The attacker did not attempt consent phishing as a persistence mechanism. This technique is covered in Module 15.
Check 4: Email access (MailItemsAccessed)
1
2
3
4
5
6
7
| OfficeActivity
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where UserId =~ "j.morrison@northgateeng.com"
| where Operation == "MailItemsAccessed"
| where ClientIPAddress == "203.0.113.45"
| project TimeGenerated, Operation, tostring(AffectedItems), ClientIPAddress
| sort by TimeGenerated asc
|
Result: 34 email items accessed between 09:25 and 09:42. Examining the subjects reveals a clear pattern — the attacker searched for financial keywords:
| Time | Emails accessed | Focus |
|---|
| 09:25-09:30 | 8 | Recent inbox items (scanning most recent) |
| 09:30-09:35 | 12 | Emails containing “invoice” or “payment” |
| 09:35-09:40 | 9 | Emails from vendor domains |
| 09:40-09:42 | 5 | Emails containing “wire” or “transfer” |
This is financial reconnaissance for BECThe attacker is not randomly reading emails. They are systematically searching for financial processes: who handles payments, which vendors are expected, what invoice formats look like, when payments are due. This intelligence would be used to craft a convincing BEC fraud email — impersonating a vendor with a changed bank account, or impersonating the CFO requesting an urgent wire transfer. You caught the reconnaissance phase before the fraud was executed.
Check 5: SharePoint/OneDrive access
1
2
3
4
5
6
| OfficeActivity
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where UserId =~ "j.morrison@northgateeng.com"
| where ClientIP == "203.0.113.45"
| where Operation in ("FileAccessed", "FileDownloaded", "FileModified", "FilePreviewed")
| project TimeGenerated, Operation, SourceFileName, SiteUrl
|
Result: No file access. The attacker focused exclusively on email.
Check 6: Lateral phishing
1
2
3
4
| EmailEvents
| where TimeGenerated between (datetime(2026-02-27T09:00:00Z) .. datetime(2026-02-27T10:00:00Z))
| where SenderFromAddress =~ "j.morrison@northgateeng.com"
| project TimeGenerated, RecipientEmailAddress, Subject, DeliveryAction
|
Result: No emails sent from the compromised account during the attack window. The attacker was in reconnaissance mode — not yet acting on collected intelligence.
Post-compromise summary
| Check | Result | Action required |
|---|
| Inbox rules | 1 malicious rule found | Remove immediately |
| Mail forwarding | Clean | None |
| OAuth grants | Clean | None |
| Email access | 34 financial emails read | Assess for regulatory notification |
| File access | Clean | None |
| Lateral phishing | Clean | None |
Check your understanding
1. The attacker created an inbox rule but not a forwarding rule. Why might they prefer inbox rules?
Inbox rules are harder to create
Inbox rules process faster
Forwarding to external addresses is a well-known detection signal with established alerting. Inbox rules that delete or move emails within the mailbox are harder to detect and serve the attacker's primary goal — hiding evidence of compromise from the user.
Forwarding rules trigger specific alerts in many security tools and are visible to users via Outlook notifications. Inbox rules that move emails to Deleted Items or mark them as read are subtler — the user does not see a forwarding notification, and the emails simply disappear from their inbox.
2. The attacker accessed 34 emails focused on financial processes. What type of follow-on attack were they preparing?
Business email compromise (BEC) — using gathered financial intelligence to craft a convincing fraud email targeting the organisation's payment processes
Ransomware deployment
Data exfiltration for sale on the dark web
Financial reconnaissance is the hallmark of BEC preparation. The attacker gathers intelligence on payment workflows, vendor relationships, and invoice formats. They then impersonate a known vendor or internal executive to redirect a payment to an attacker-controlled account. This follow-on attack is covered in Module 14.
