A Comprehensive Resource for Business Email Compromise Investigations.’ In the ever-evolving landscape of cyber threats, business email compromise (BEC) remains a persistent and costly threat.
This article explores Awesome-BEC, a curated repository of invaluable attack and defensive information, tools, and research dedicated to combating BEC attacks.
Discover the wealth of knowledge and resources it offers for safeguarding your organization against this prevalent cyber threat. Repository of attack and defensive information for Business Email Compromise investigations
Author | Link |
---|---|
NCSC Ireland | Office 365 Secure Configuration Framework |
CISA | Microsoft Office 365 Security Recommendations |
Description | Author | Link |
---|---|---|
A dataset containing Office 365 Unified Audit Logs for security research and detection. | Invictus IR | O365 Dataset |
Simulated activity within the Microsoft 365 platform exported using Microsoft Extractor Suite | blueteam0ps | det-eng-samples |
Description | Author | Link |
---|---|---|
Megan Roddie (SANS DFIR Summit 2021) | Automating Google Workspace Incident Response | |
Megan Roddie (BSides SATX) | GSuite Digital Forensics and Incident Response | |
Splunk Threat Research Team | Investigating GSuite Phishing Attacks with Splunk | |
Arman Gungor at Metaspike | Investigating Message Read Status in Gmail & Google Workspace | |
Arman Gungor at Metaspike | Gmail History Records in Forensic Email Investigations | |
Arman Gungor at Metaspike | Google Takeout and Vault in Email Forensics | |
Megan Roddie at SANS | Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response | |
Korstiaan Stam (SANS DFIR Summit 2022) | Detecting Malicious Actors in Google Workspace | |
Invictus IR | Automated Forensic analysis of Google Workspace |
Description | Author | Link |
---|---|---|
A dataset containing Google Workspace Logs for security research and detection. | Invictus Incident Response | GWS Dataset |
Author | Link |
---|---|
MDSec | o365-attack-toolkit |
Daniel Chronlund | Microsoft 365 Data Exfiltration – Attack and Defend |
Author | Link |
---|---|
Kuba Gretzky | Evilginx2 |
Cult of Cornholio | Solenya |
Black Hills Information Security | CredSniper |
Mandiant | ReelPhish |
Piotr Duszynski | Modiishka |
Description | Author | Link |
---|---|---|
Automate the security assessment of Microsoft Office 365 environments | Soteria Security | 365Inspect |
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations | ANSSI-FR | DFIR-O365RC |
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments | CrowdStrike | CrowdStrike Reporting Tool for Azure (CRT) |
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 | CISA | Aviary/SPARROW |
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. | T0pCyber | Hawk |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. | Mandiant | Mandiant AzureAD Investigator |
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. | Glen Scales | O365 InvestigationTooling |
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) | PwC IR | MIA-MailItemsAccessed |
This script makes it possible to extract log data out of an Office365 environment. | JoeyRentenaar | Office 365 Extractor |
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. | Fernando Tomlinson | Invoke-AZExplorer |
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. | Ian Day | o365AuditParser |
DART AzureAD IR Powershell Module | Microsoft DART | AzureADIncidentResponse |
Magnet AXIOM Cloud | Magnet Forensics | Magnet AXIOM Cloud |
Metaspike Forensic Email Collector | Metaspike | Metaspike Forensic Email Collector |
Metaspike Forensic Email Intelligence | Metaspike | Metaspike Forensic Email Intelligence |
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. | Invictus IR | Blue-team-app-Office-365-and-Azure |
Script to retrieve information via O365 and AzureAD with a valid cred | nyxgeek | o365recon |
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. | Darkquasar | AzureHunter |
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. | Phil Hagen at SANS | SOF-ELK |
A collection of scripts for finding threats in Office365 | Martin Rothe | Py365 |
Parsing the O365 Unified Audit Log with Python | Koen Van Impe | O365-python-parse |
Identifying phishing page toolkits | Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis | Phoca |
An Open Source PowerShell O365 Business Email Compromise Investigation Tool | intrepidtechie | KITT-O365-Tool |
Tooling for assessing an Azure AD tenant state and configuration | Microsoft | Microsoft Azure AD Assessment |
ROADtools is a framework to interact with Azure AD | Dirk-jan | ROADtools |
Automated Audit Log Forensic Analysis for Google Workspace | Invictus IR | ALFA |
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA | Untitled Goose |
PowerShell module to collect logs and rules from M365 | Invictus IR | Welcome Microsoft Extractor Suite |
Author | Link |
---|---|
CISA | ScubaGear M365 Secure Configuration Baseline Assessment Tool |
Gerenios | AADInternals |
Author/s | Link |
---|---|
David Cowen, Pierre Lidome, Josh Lemon and Megan Roddie at SANS | FOR509: Enterprise Cloud Forensics and Incident Response |
Lina Lau | Attacking and Defending Azure & M365 |
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…