Business Email Compromise

Targeted attack leveraging compromised or spoofed executive email accounts to authorize fraudulent transactions or redirect sensitive communications.

Triage

5 procedures

Bound the Investigation Timeframe

Identify Patient Zero (First Compromised System)

Analyze Suspicious Email for BEC Indicators

Phishing Email Triage and Indicator Extraction

Validate the Initial Access Vector

Containment

3 procedures

Credential and Account Lockdown

Revoke Cloud Sessions and Tokens

Phishing Containment: Block, Quarantine, Purge

Sponsored

Preservation

5 procedures

Volatile Memory Capture

Log Preservation and Snapshot

Preserve Phishing Email Evidence

Document Chain of Custody for All Collected Evidence

Cloud Tenant Configuration Snapshot

Collection

7 procedures

Phishing Artifact Collection: Headers, URLs, Attachments

EDR Telemetry Collection

M365 Unified Audit Log Collection

Collect DLP Policy Alerts and Hits

Azure AD Sign-In and Audit Log Collection

Identify Alternative Evidence When Primary Logs Are Missing

Coordinate Log Collection from Third-Party Vendors

Analysis

4 procedures

Lateral Movement Analysis and Mapping

Phishing Campaign Scope and Credential Exposure

Detect OAuth and Consent Phishing Abuse

Investigate Mailbox Rule Modifications

Eradication

3 procedures

Eradication Verification Checklist

Phishing Remediation: Purge, Reset, Revoke

Post-Incident Configuration Hardening

Recovery

1 procedure

Phased Service Restoration with Enhanced Monitoring

Post-Incident Review

5 procedures

Create New Detection Rules Based on Incident Findings

Generate Comprehensive Incident Report

Review Cloud Hardening Gaps After Identity Compromise

Review Data Disclosure and Notification Decision Evidence

Conduct Lessons Learned Review Session