business email compromise (BEC) — methodology

what evidence exists and how fast it dies

the first 10 minutes

1. stop the wire if humanly possible — call the bank, not email.
2. save the suspicious email as .eml. do not forward it.
3. export M365 / Google audit for sender + recipient mailboxes — 30 days back.
4. export mailbox rules for both mailboxes involved.
5. check sign-in logs for unusual geography on the mailbox that sent or received.
6. pull whois for the sender's apparent domain and any lookalike.
7. photograph or save the wire confirmation.
8. notify finance to freeze further outgoing wires pending review.
9. notify IT to revoke OAuth consents granted in the last 60 days.
10. begin the path below.

the path

1. 1. email header analyzer

   save the suspicious message as .eml — never forward. paste headers. surfaces return-path vs from mismatch, reply-to redirect, spf/dkim/dmarc.why first: bec is 80% headers. if you forward instead of saving .eml, you destroy the evidence.

2. 2. email thread reconstructor

   drop the fraud .eml plus any prior legit thread. maps message-id / in-reply-to chains.why second: forged reply chains are trivial to inject. you need to see whether the thread actually existed.

3. 3. email header chain analyzer

   deep parse of received hops, identity fields, injection probes.why third: the hop chain tells you where the message actually entered your mail path.

4. 4. email spoofing spf dkim validator

   scores spoof indicators — spf can pass while display name and from domain diverge.why fourth: 'spf passed' is the most common false lead in bec. this tool separates envelope from header identity.

5. 5. email received header hop analyzer

   hop timing, origin ip classification, path anomalies.why fifth: origin ip and hop deltas often expose relay through attacker infrastructure.

6. 6. mailer fingerprint identifier

   x-mailer, message-id domain, boundary patterns vs known clients.why sixth: a message claiming to be from outlook with a mismatched mailer fingerprint is a strong forgery signal.

7. 7. email impersonation pattern detector

   lookalike domains, executive title mismatch, bec subject patterns.why seventh: homoglyph domains (rooflng vs roofing) are the bec hallmark.

8. 8. mail rule parser

   export mailbox rules — outlook rules.dat or thunderbird msgFilterRules. flags external forward/redirect.why last: the mailbox rule is often how the actor hid exfil or auto-forwarded invoices before the wire.

common false leads

• spf passed, so the email is real — spf validates the envelope sender, which is often the lookalike domain the attacker controls.
• the reply chain looks real — chains are trivially forged in the body and in-reply-to headers.
• the mailbox rule was created by the user — check audit log first, not the mailbox owner's word.
• dkim passed on one hop — alignment with the from domain matters; a passing dkim on a relay ≠ sender authenticity.

what we can tell you, what we can't

we can tell you:

• header-level proof of forgery and spoof technique
• lookalike domain identification and impersonation patterns
• when a mailbox rule was created (if audit log is in scope)
• oauth consent chain indicators from exported audit logs

we can't tell you:

• recover the wire — that is the bank's job within recall windows
• attribute the actor — FBI IC3 / law enforcement territory
• determine criminal intent vs clerical error — legal counsel territory

handing it off

• law enforcement (FBI IC3): original .eml, header analysis output, wire confirmation, lookalike domains, audit log exports.
• bank: wire confirmation, timestamp, beneficiary account, recall request in writing.
• outside counsel: preservation log — what you saved, when, sha-256 of exports.

reference investigation