fatcousin
// first 10 minutes

business email compromise (BEC) — quick-start

business email compromise — first 10 minutes. stop the wire, preserve headers. print this, check boxes, then run the primary tools.

checklist

  1. stop the wire if humanly possible — call the bank now, not after headers.
  2. save the suspicious message as .eml — do not forward (forwarding rewrites headers).
  3. export M365 unified audit for sender and recipient mailboxes — 30 days minimum.
  4. export mailbox rules for both mailboxes — outlook rules.dat or admin center export.
  5. pull sign-in logs for both mailboxes — correlate unusual geography and device.
  6. pull whois for the sender's apparent domain — look for recent registration.
  7. photograph or save the wire confirmation — recall window closes in 24–72h.
  8. notify finance to freeze outgoing wires pending review.
  9. revoke OAuth app consents granted in the last 60 days on both mailboxes.
  10. begin the primary tool path below.

primary tools

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

go deeper

methodology →proof · bec-sterlingcase type tools →
ready