delgado-vendor-bec — vendor impersonation wire fraud
Halvorsen Reyes Architecture is a 60-person architecture firm. AP coordinator Mariana Delgado receives a vendor impersonation email from a lookalike domain with a forged reply chain and updated remittance details, wiring $146,750 to an attacker account. Eight days earlier the firm's controller mailbox was compromised via OAuth consent with a malicious invoice forwarding rule. Fully synthetic.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(728/728 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — save .eml, never forward.
- header forgery, lookalike domain, and mailbox rule indicators surface without uploading evidence.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for bec — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes fraudulent .eml, prior legit thread, mailbox rules export, audit json, and wire confirmation text.
built deterministically from scripts/fixtures/build-delgado-vendor-bec.mjs. seed: delgado-vendor-bec:v1.
methodology
bec is 80% headers. save the .eml first, then walk header analyzer → thread reconstructor → chain analyzer → spoof validator → hop analyzer → mailer fingerprint → impersonation detector → mail rule parser. read the full business email compromise (BEC) guide →
after the playbook
after the eight mail primaries, merge header, thread, chain, and rule exports in fatcousin-multi-tool-super-timeline-correlator. walks the forgery → rule → wire path on one local timeline — no upload.