📧

Business Email Compromise

Targeted attack leveraging compromised or spoofed executive email accounts to authorize fraudulent transactions or redirect sensitive communications.

31 runbook nodes8 lifecycle stages covered

Triage

(5 nodes)

Bound the Investigation Timeframe

P1

Timeframe Bounding

30min
View node

Identify Patient Zero (First Compromised System)

P1

Patient Zero

60min
View node

Analyze Suspicious Email for BEC Indicators

P1

BEC Email Analysis

45min
View node

Phishing Email Triage and Indicator Extraction

P1

Phishing Triage

30min
View node

Validate the Initial Access Vector

P2

Access Validation

45min
View node

Containment

(3 nodes)

Credential and Account Lockdown

P1

Account Lockdown

45min
View node

Revoke Cloud Sessions and Tokens

P1

Revoke Cloud Sessions

30min
View node

Phishing Containment: Block, Quarantine, Purge

P1

Phishing Quarantine

45min
View node

Preservation

(5 nodes)

Volatile Memory Capture

P1

Memory Capture

60min
View node

Log Preservation and Snapshot

P1

Log Snapshot

45min
View node

Preserve Phishing Email Evidence

P1

Phishing Email Preservation

45min
View node

Document Chain of Custody for All Collected Evidence

P2

Chain of Custody

30min
View node

Cloud Tenant Configuration Snapshot

P2

Cloud Tenant Snapshot

60min
View node

Collection

(7 nodes)

Phishing Artifact Collection: Headers, URLs, Attachments

P1

Phishing Artifact Collection

60min
View node

EDR Telemetry Collection

P2

EDR Collection

120min
View node

M365 Unified Audit Log Collection

P2

M365 UAL Collection

90min
View node

Collect DLP Policy Alerts and Hits

P2

DLP Alerts

45min
View node

Azure AD Sign-In and Audit Log Collection

P2

Azure AD Logs

60min
View node

Identify Alternative Evidence When Primary Logs Are Missing

P2

Missing Log Fallback

60min
View node

Coordinate Log Collection from Third-Party Vendors

P3

Third-Party Logs

120min
View node

Analysis

(4 nodes)

Lateral Movement Analysis and Mapping

P1

Lateral Movement

120min
View node

Phishing Campaign Scope and Credential Exposure

P1

Phishing Campaign Analysis

90min
View node

Detect OAuth and Consent Phishing Abuse

P2

OAuth Abuse

60min
View node

Investigate Mailbox Rule Modifications

P2

Inbox Rules

45min
View node

Eradication

(3 nodes)

Eradication Verification Checklist

P1

Eradication Verification

90min
View node

Phishing Remediation: Purge, Reset, Revoke

P1

Phishing Remediation

60min
View node

Post-Incident Configuration Hardening

P2

Config Hardening

180min
View node

Recovery

(1 node)

Phased Service Restoration with Enhanced Monitoring

P2

Service Restoration

120min
View node

Post-Incident Review

(3 nodes)

Create New Detection Rules Based on Incident Findings

P2

Detection Improvement

90min
View node

Generate Comprehensive Incident Report

P2

Incident Report

180min
View node

Conduct Lessons Learned Review Session

P3

Lessons Learned

120min
View node