Analyze Suspicious Email for BEC Indicators

Actions

1. 1.Extract and analyze full email headers: check Received headers for origin, Authentication-Results for SPF/DKIM/DMARC pass/fail, and X-Originating-IP for sender location.
2. 2.Check the sender domain for typosquatting/lookalike indicators: character substitution (rn→m, l→1), added/removed characters, different TLD (.com vs .co). Use whois to check domain registration date.
3. 3.Search for similar emails sent to other recipients: `Get-MessageTrace -SenderAddress [email protected] -StartDate T_START -EndDate T_END | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status`.
4. 4.Check if any links in the email lead to credential harvesting pages. Analyze URLs in a sandboxed environment.
5. 5.Search for reply-chain hijacking: check if the email thread was legitimate and at what point the attacker injected themselves into the conversation.

Queries

EmailEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where SenderFromDomain has_any (SUSPICIOUS_DOMAINS) | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, AuthenticationDetails | order by Timestamp asc

EmailUrlInfo | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where Url has_any (SUSPICIOUS_DOMAINS) | join EmailEvents on NetworkMessageId | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation == "MailItemsAccessed" or Operation == "SendAs" or Operation == "SendOnBehalf" | where UserId in~ (COMPROMISED_ACCOUNTS) | project TimeGenerated, UserId, Operation, ClientIP