๐ง Business Email Compromise Investigation Assessment
Assessment template for business email compromise incidents covering email analysis, financial transaction freezing, and cloud session revocation. Includes BEC-specific checkpoints for impersonation technique analysis and urgent financial containment alongside universal investigation checkpoints.
Triage
0/4Confirm that the investigation window has been defined with clear T-start (earliest known indicator) and T-end boundaries. The timeframe should include a safety buffer of at least 48 hours before the first detected IOC to account for pre-compromise reconnaissance.
Verify that the initially compromised system, account, or entry point has been identified and documented. Patient zero determination should be supported by corroborating evidence from multiple log sources such as EDR, authentication logs, and email gateway records.
Ensure the incident has been assigned a severity level based on observed impact, affected asset criticality, and potential data exposure. The classification should follow the organization's incident severity matrix and be reflected in all communications and ticket metadata.
Confirm that the business email compromise message has been analyzed for impersonation technique (display name spoofing, domain lookalike, compromised account), urgency indicators, and requested actions. Header analysis should identify the true sender infrastructure and any reply-to redirection.
Containment
0/5Confirm that all systems identified as compromised have been isolated from the network. Isolation should be verified through network-level controls (VLAN segmentation, firewall rules, or EDR network quarantine) rather than simply disabling accounts on the host.
Verify that all accounts known or suspected to be compromised have been disabled or had their credentials forcibly rotated. This includes service accounts, shared accounts, and any accounts with elevated privileges that the attacker may have accessed.
Assess whether the containment boundary is comprehensive enough to cover all known attacker footholds. Review lateral movement evidence, C2 communication logs, and authentication patterns to confirm no alternate access paths remain outside the containment perimeter.
Verify that all financial transactions initiated as a result of the BEC attack have been identified and frozen or reversed where possible. Coordination with the finance department and banking partners should be immediate to maximize the chance of fund recovery.
Confirm that all active cloud sessions and refresh tokens for compromised accounts have been revoked, not just passwords reset. Verify revocation in Azure AD, Google Workspace, or the relevant identity provider by confirming no active sessions remain.
Preservation
0/3Confirm that volatile memory (RAM) has been captured from all key compromised systems before any reboot or remediation action. Memory dumps should be acquired using forensically-sound tools and stored with proper chain of custody documentation.
Verify that all critical log sources have been snapshotted or exported to a tamper-proof location. This includes SIEM data, Windows Event Logs, authentication logs, email gateway logs, and cloud audit trails that fall within the investigation timeframe.
Ensure that a formal chain of custody record exists for every piece of evidence collected. Each record must include the evidence hash, collector identity, collection timestamp, storage location, and any transfers between custodians.
Collection
0/2Confirm that endpoint detection and response telemetry has been collected from all in-scope systems for the investigation timeframe. Telemetry should include process execution trees, file modifications, network connections, and registry changes.
Validate that evidence has been gathered from every relevant log source including EDR, SIEM, cloud audit logs, email gateway, proxy, DNS, VPN, and authentication systems. Cross-reference the log source inventory against the incident scope to identify any gaps.
Analysis
0/2Verify that all lateral movement activity has been identified and mapped across the environment. Analysis should cover RDP sessions, SMB connections, WMI/PSRemoting, pass-the-hash/pass-the-ticket activity, and any anomalous authentication patterns between systems.
Confirm that the root cause of the incident has been identified, including the initial attack vector, any exploited vulnerabilities, and the conditions that allowed the compromise to succeed. The root cause should be documented with supporting evidence from forensic analysis.
Eradication
0/3Confirm that all attacker-deployed malware, scripts, remote access tools, and utilities have been identified and removed from every affected system. Removal should be validated through post-remediation scans and manual verification of common persistence locations.
Verify that all attacker persistence mechanisms have been identified and removed. This includes scheduled tasks, registry run keys, startup folder entries, WMI subscriptions, service installations, DLL hijacks, and any modified Group Policy Objects.
Ensure that all credentials known or suspected to be compromised have been reset, including user passwords, service account passwords, API keys, certificates, and Kerberos tickets. The KRBTGT account should be reset twice if domain compromise is suspected.
Recovery
0/2Confirm that compromised systems have been rebuilt from known-clean images or installation media rather than simply cleaned in place. The rebuild process should include verifying the integrity of the baseline image and applying all current security patches before reconnecting to the network.
Verify that business services have been restored in a controlled, phased manner with validation at each step. Service restoration should include functional testing, security monitoring confirmation, and a defined rollback plan if anomalous activity is detected post-restoration.
Post-Incident Review
0/2Confirm that a formal lessons-learned review has been conducted with all participating teams. The review should document what worked well, what failed, timeline gaps, tooling shortcomings, and specific improvement actions with assigned owners and deadlines.
Verify that detection rules, SIEM correlations, and EDR policies have been updated based on the TTPs observed during the incident. New detections should cover the initial access vector, lateral movement techniques, and any persistence mechanisms used by the attacker.