Repository of attack and defensive information for Business Email Compromise investigations


Attack/Defend Research

Author Link
Lina Lau Backdoor Office 365 and Active Directory - Golden SAML
Lina Lau Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I
Lina Lau Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
Mike Felch and Steve Borosh Socially Acceptable Methods to Walk in the Front Door
Mandiant Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
Andy Robbins at SpecterOps Azure Privilege Escalation via Service Principal Abuse
Emilian Cebuc & Christian Philipov at F-Secure Has anyone seen the principal?
nyxgeek at TrustedSec Creating A Malicious Azure AD Oauth2 Application
Lina Lau How to Backdoor Azure Applications and Abuse Service Principals
Lina Lau How to Detect Azure Active Directory Backdoors: Identity Federation
Doug Bienstock at Mandiant PwnAuth
Steve Borosh at Black Hills Information Secucirty Spoofing Microsoft 365 Like It’s 1995
Avertium MITM Attacks - Evilproxy and Evilginx
Aon Cyber Labs Bypassing MFA: A Forensic Look At Evilginx2 Phishing Kit
Sofia Marin Incident Response Series: Chapter #1 Phishing and cookie stolen with Evilginx.
Sofia Marin Incident Response Series: Chapter #3 The Impact and Subscription Theft as Exfiltration

Investigation Research

Author Link
Devon Ackerman (SANS DFIR Summit 2018) A Planned Methodology for Forensically Sound IR in Office 365
Matt Bromiley Business Email Compromise; Office 365 Making Sense of All the Noise
PWC IR Business Email Compromise Guide
Korstiann Stam (SANS DFIR Summit 2021) A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
M365 Internals Everything About Service Principals, Applications, And API Permissions
M365 Internals What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
M365 Internals Incident Response In A Microsoft Cloud Environment
M365 Internals Incident Response Series: Reviewing Data In Azure AD For Investigation
M365 Internals Incident Response Series: Collecting And Analyzing Logs In Azure Ad
Microsoft How automated investigation and response works in Microsoft Defender for Office 365
Microsoft Incident Response playbooks
Brendan Mccreesh Matching the O365 MachineID to a computer’s MachineGUID
BushidoToken Abused legitimate services
Dave Herrald and Ryan Kovar (SANS CTI Summit 2019) How to Use and Create Threat Intelligence in an Office 365 World
Mangatas Tondang Knocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula
Mathieu Saulnier IRP Phishing
Crypsis Securing O365 with PowerShell
Aon Microsoft 365: Identifying Mailbox Access
Will Oram Responding to sophisticated attacks on Microsoft 365 and Azure AD
Frankie Li, Ken Ma and Eric Leung at Dragon Advance Tech Consulting Microsoft 365 Forensics Playbook
Christopher Romano and Vaishnav Murthy at Crowdstrike Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365
Megan Roddie at SANS Enterprise Cloud Forensics & Incident Response Poster
Thirumalai Natarajan Muthiah & Anurag Khanna (SANS DFIR Summit 2022) Threat Hunting in Microsoft 365 Environment
Josh Lemon & Megan Roddie (SANS DFIR Summit 2022) DFIR Evidence Collection and Preservation for the Cloud
Microsoft Verify first-party Microsoft applications in sign-in reports
Douglas Bienstock at Mandiant You Can’t Audit Me: APT29 Continues Targeting Microsoft 365
Lina Lau How to Detect OAuth Access Token Theft in Azure
Michel De Crevoisier at Red Canary Forward thinking: How adversaries abuse Office 365 email rules
Emily Parrish at Microsoft Forensic artifacts in Office 365 and where to find them
Justin Schoenfeld and Zach Diehl at Red Canary Cloud coverage: Detecting an email payroll diversion attack
CrowdStrike Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
Aon SCL -1: The Dangerous Side Of Safe Senders
Jon Hencinski Seven ways to spot a business email compromise in Office 365
Emily Parrish at Microsoft Good UAL Hunting
Invictus Incident Respone Mastering Email Forwarding Rules in Microsoft 365
Microsoft Threat Intelligence DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
Red Canary Investigating legacy authentication: The curious case of “BAV2ROPC”
Dray Agha at Huntress Threat Hunting for Business Email Compromise Through User Agents
Fabian Bader EntraID-ErrorCodes
Patterson Cake at Black Hills Information Security Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3)
Patterson Cake at Black Hills Information Security Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 2 of 3)
Microsoft New Microsoft Incident Response guides help security teams analyze suspicious activity
Mauricio Velazco at Splunk Hunting M365 Invaders: Blue Team’s Guide to Initial Access Vectors
Huntress Time Travelers Busted: How to Detect Impossible Travel

Secure configuration guidance

Author Link
NCSC Ireland Office 365 Secure Configuration Framework
CISA Microsoft Office 365 Security Recommendations


Description Author Link
A dataset containing Office 365 Unified Audit Logs for security research and detection. Invictus IR O365 Dataset
Simulated activity within the Microsoft 365 platform exported using Microsoft Extractor Suite blueteam0ps det-eng-samples

Google Workspace

ATT&CK Google Workspace

Investigation Research

Description Author Link
  Megan Roddie (SANS DFIR Summit 2021) Automating Google Workspace Incident Response
  Megan Roddie (BSides SATX) GSuite Digital Forensics and Incident Response
  Splunk Threat Research Team Investigating GSuite Phishing Attacks with Splunk
  Arman Gungor at Metaspike Investigating Message Read Status in Gmail & Google Workspace
  Arman Gungor at Metaspike Gmail History Records in Forensic Email Investigations
  Arman Gungor at Metaspike Google Takeout and Vault in Email Forensics
  Megan Roddie at SANS Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response
  Korstiaan Stam (SANS DFIR Summit 2022) Detecting Malicious Actors in Google Workspace
  Invictus IR Automated Forensic analysis of Google Workspace


Description Author Link
A dataset containing Google Workspace Logs for security research and detection. Invictus Incident Response GWS Dataset


Adversary Emulation Tools

Author Link
MDSec o365-attack-toolkit
Daniel Chronlund Microsoft 365 Data Exfiltration – Attack and Defend

Phishing Toolkits

Author Link
Kuba Gretzky Evilginx2
Cult of Cornholio Solenya
Black Hills Information Security CredSniper
Mandiant ReelPhish
Piotr Duszynski Modiishka

Investigation Tools

Description Author Link
Automate the security assessment of Microsoft Office 365 environments Soteria Security 365Inspect
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations ANSSI-FR DFIR-O365RC
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments CrowdStrike CrowdStrike Reporting Tool for Azure (CRT)
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 CISA Aviary/SPARROW
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. T0pCyber Hawk
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Mandiant Mandiant AzureAD Investigator
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. Glen Scales O365 InvestigationTooling
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) PwC IR MIA-MailItemsAccessed
This script makes it possible to extract log data out of an Office365 environment. JoeyRentenaar Office 365 Extractor
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. Fernando Tomlinson Invoke-AZExplorer
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. Ian Day o365AuditParser
DART AzureAD IR Powershell Module Microsoft DART AzureADIncidentResponse
Magnet AXIOM Cloud Magnet Forensics Magnet AXIOM Cloud
Metaspike Forensic Email Collector Metaspike Metaspike Forensic Email Collector
Metaspike Forensic Email Intelligence Metaspike Metaspike Forensic Email Intelligence
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. Invictus IR Blue-team-app-Office-365-and-Azure
Script to retrieve information via O365 and AzureAD with a valid cred nyxgeek o365recon
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. Darkquasar AzureHunter
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. Phil Hagen at SANS SOF-ELK
A collection of scripts for finding threats in Office365 Martin Rothe Py365
Parsing the O365 Unified Audit Log with Python Koen Van Impe O365-python-parse
Identifying phishing page toolkits Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis Phoca
An Open Source PowerShell O365 Business Email Compromise Investigation Tool intrepidtechie KITT-O365-Tool
Tooling for assessing an Azure AD tenant state and configuration Microsoft Microsoft Azure AD Assessment
ROADtools is a framework to interact with Azure AD Dirk-jan ROADtools
Automated Audit Log Forensic Analysis for Google Workspace Invictus IR ALFA
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments CISA Untitled Goose
PowerShell module to collect logs and rules from M365 Invictus IR Welcome 👋 Microsoft Extractor Suite

Assessment Tools

Author Link
CISA ScubaGear M365 Secure Configuration Baseline Assessment Tool
CISA ScubaGoggles GWS Secure Configuration Baseline Assessment Tool
Gerenios AADInternals


Author/s Link
SANS FOR509: Enterprise Cloud Forensics and Incident Response
Xintra Attacking and Defending Azure & M365
Invictus Incident Response Incident Response in the Microsoft Cloud training