📧
Business Email Compromise
Targeted attack leveraging compromised or spoofed executive email accounts to authorize fraudulent transactions or redirect sensitive communications.
31 runbook nodes8 lifecycle stages covered
Triage
(5 nodes)Bound the Investigation Timeframe
P1Timeframe Bounding
30min
View node
Identify Patient Zero (First Compromised System)
P1Patient Zero
60min
View node
Analyze Suspicious Email for BEC Indicators
P1BEC Email Analysis
45min
View node
Phishing Email Triage and Indicator Extraction
P1Phishing Triage
30min
View node
Validate the Initial Access Vector
P2Access Validation
45min
View node
Containment
(3 nodes)Preservation
(5 nodes)Volatile Memory Capture
P1Memory Capture
60min
View node
Log Preservation and Snapshot
P1Log Snapshot
45min
View node
Preserve Phishing Email Evidence
P1Phishing Email Preservation
45min
View node
Document Chain of Custody for All Collected Evidence
P2Chain of Custody
30min
View node
Cloud Tenant Configuration Snapshot
P2Cloud Tenant Snapshot
60min
View node
Collection
(7 nodes)Phishing Artifact Collection: Headers, URLs, Attachments
P1Phishing Artifact Collection
60min
View node
EDR Telemetry Collection
P2EDR Collection
120min
View node
M365 Unified Audit Log Collection
P2M365 UAL Collection
90min
View node
Collect DLP Policy Alerts and Hits
P2DLP Alerts
45min
View node
Azure AD Sign-In and Audit Log Collection
P2Azure AD Logs
60min
View node
Identify Alternative Evidence When Primary Logs Are Missing
P2Missing Log Fallback
60min
View node
Coordinate Log Collection from Third-Party Vendors
P3Third-Party Logs
120min
View node