bec-sterling — reference investigation
Sterling & Associates is a 22-person property management firm. A receivables clerk receives a vendor impersonation email from a lookalike domain with forged reply chain and updated wiring instructions, wiring $84,300 to an attacker account. Eight days earlier the CFO mailbox was compromised via OAuth consent with a malicious invoice forwarding rule. Fully synthetic.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(16/16 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — save .eml, never forward.
- header forgery, lookalike domain, and mailbox rule indicators surface without uploading evidence.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for bec — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes fraudulent .eml, prior legit thread, mailbox rules export, audit json, and wire confirmation text.
built deterministically from scripts/fixtures/build-bec-sterling.mjs. seed: bec-sterling:v1.
methodology
bec is 80% headers. save the .eml first, then walk header analyzer → thread reconstructor → chain analyzer → spoof validator → hop analyzer → mailer fingerprint → impersonation detector → mail rule parser. read the full business email compromise (BEC) guide →
after the playbook
after the eight mail primaries, merge header, thread, chain, and rule exports in fatcousin-multi-tool-super-timeline-correlator. walks the forgery → rule → wire path on one local timeline — no upload.