fatcousin
// case type

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

tools
17
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. .eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. dkim verifierpaste raw email and DKIM public key · relaxed canonicalization · body bh hash · WebCrypto RSA verify · step-by-step results · runs locally
  3. url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  4. domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  5. o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  6. office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  7. okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  8. ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  9. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • BEC triage kit

    5 steps

    drop the suspect .eml(s) → extract headers → pull IOCs → triage → draft case report

    1. 01evidence-manifest-generatorhash every input file so chain-of-custody is preserved
    2. 02email-header-analyzerparse Received: chain + SPF/DKIM/DMARC results
    3. 03ioc-extractorextract URLs, domains, IPs from the message bodies + headers
    4. 04ioc-bulk-validator-and-triagescore each IOC — surface high-severity items
    5. 05case-report-generatordraft a markdown report; edit before sending up the chain
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready