TriageP1~45 min

Analyze Suspicious Email for BEC Indicators

Examine suspicious email headers, validate authentication results (SPF/DKIM/DMARC), identify lookalike domains, and search for similar emails sent to other users in the organization.

Actions

1
Extract and analyze full email headers: check Received headers for origin, Authentication-Results for SPF/DKIM/DMARC pass/fail, and X-Originating-IP for sender location.
2
Check the sender domain for typosquatting/lookalike indicators: character substitution (rn→m, l→1), added/removed characters, different TLD (.com vs .co). Use whois to check domain registration date.
3
Search for similar emails sent to other recipients: `Get-MessageTrace -SenderAddress [email protected] -StartDate T_START -EndDate T_END | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status`.
4
Check if any links in the email lead to credential harvesting pages. Analyze URLs in a sandboxed environment.
5
Search for reply-chain hijacking: check if the email thread was legitimate and at what point the attacker injected themselves into the conversation.

Queries

EmailEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where SenderFromDomain has_any (SUSPICIOUS_DOMAINS) | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, AuthenticationDetails | order by Timestamp asc

EmailUrlInfo | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where Url has_any (SUSPICIOUS_DOMAINS) | join EmailEvents on NetworkMessageId | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation == "MailItemsAccessed" or Operation == "SendAs" or Operation == "SendOnBehalf" | where UserId in~ (COMPROMISED_ACCOUNTS) | project TimeGenerated, UserId, Operation, ClientIP

index=email sourcetype=proofpoint:pps sender="<PHISHING_SENDER>" OR sender_domain="<SUSPICIOUS_DOMAIN>" action=delivered | stats count by recipient, subject, sender, action | sort -count

index=o365 sourcetype=o365:management:activity Operation="MailItemsAccessed" OR Operation="SendAs" OR Operation="SendOnBehalf" UserId="<COMPROMISED_USER>" | stats count by UserId, Operation, ClientIP | sort -count

Notes

BEC attacks often use conversation hijacking where the attacker compromises an account and replies to existing email threads. The emails appear legitimate because they come from a real, compromised account.

Check the Reply-To header -- BEC actors often set Reply-To to an external address different from the visible From address.

Where to Go Next

Account compromise confirmed, lock down

Lock compromised accounts

Check for inbox rule persistence

Investigate inbox rules

Cloud identity compromise suspected

Collect Azure AD logs

Related Resources

Artifacts

Message Trace LogsExchange Admin Center > Mail flow > Message trace (or Get-MessageTrace cmdlet)Google Workspace Gmail Log EventsGoogle Admin Console > Reporting > Audit and investigation > Gmail log events

Common Blockers

SaaS Audit Logging Not Enabled or Not Licensed