fatcousin
// case comparison

phishing vs BEC

both start in the inbox — but phishing is org-wide lure infrastructure and IOC pivoting; BEC is targeted impersonation for wire fraud or payroll redirect.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

phishing campaign investigation

scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.

  1. 01phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. 02phishing URL extractor from email bodydrop eml files or paste email body html · extract all urls from email body and headers · decode obfuscated and redirected urls · surface phishing indicators and malicious link patterns · runs locally
  3. 03email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
  4. 04url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  5. 05domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. 06ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  7. 07ioc deduplicator and normalizerdrop multiple ioc lists from any format · deduplicate · normalize · classify by type · validate format · enrich with context · export in stix csv and plain text formats · runs locally
  8. 08javascript deobfuscatorpaste obfuscated javascript · packed js · fromcharcode · atob · hex unicode · beautify · html script extract · iocs · runs locally
case b

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

editorial overlap

6 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
domain reputation analyzerfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatorioc extractorphishing email header analyzerurl redirect chain tracer

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward phishing if you see…

  • multiple users hit by the same lure URL, kit, or redirect chain in a short window
  • campaign IOC extraction: shared domains, redirect chains, or kit fingerprints across messages
  • credential-harvest landing page — not a single vendor wire-fraud thread

lean toward BEC if you see…

  • single executive or AP thread with display-name spoof and reply-to drift
  • wire transfer or payroll redirect request embedded in an ongoing email conversation
  • vendor-domain impersonation with no broad org-wide lure pattern
ready