Repository of attack and defensive information for Business Email Compromise investigations


Attack/Defend Research

Description Author Link
  Lina Lau Backdoor Office 365 and Active Directory - Golden SAML
  Lina Lau Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I
  Lina Lau Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
  Mike Felch and Steve Borosh Socially Acceptable Methods to Walk in the Front Door
  Mandiant Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
  Andy Robbins at SpecterOps Azure Privilege Escalation via Service Principal Abuse
  Emilian Cebuc & Christian Philipov at F-Secure Has anyone seen the principal?
  nyxgeek at TrustedSec Creating A Malicious Azure AD Oauth2 Application
  Lina Lau How to Backdoor Azure Applications and Abuse Service Principals
  Lina Lau How to Detect Azure Active Directory Backdoors: Identity Federation
  Doug Bienstock at Mandiant PwnAuth
  Steve Borosh at Black Hills Information Secucirty Spoofing Microsoft 365 Like It’s 1995

Investigation Research

Description Author Link
  Devon Ackerman (SANS DFIR Summit 2018) A Planned Methodology for Forensically Sound IR in Office 365
  Matt Bromiley Business Email Compromise; Office 365 Making Sense of All the Noise
  PWC IR Business Email Compromise Guide
  Korstiann Stam (SANS DFIR Summit 2021) A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
  M365 Internals Everything About Service Principals, Applications, And API Permissions
  M365 Internals What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
  M365 Internals Incident Response In A Microsoft Cloud Environment
  M365 Internals Incident Response Series: Reviewing Data In Azure AD For Investigation
  M365 Internals Incident Response Series: Collecting And Analyzing Logs In Azure Ad
  Microsoft How automated investigation and response works in Microsoft Defender for Office 365
  Microsoft Incident Response playbooks
  Brendan Mccreesh Matching the O365 MachineID to a computer’s MachineGUID
  BushidoToken Abused legitimate services
  Dave Herrald and Ryan Kovar (SANS CTI Summit 2019) How to Use and Create Threat Intelligence in an Office 365 World
  Mangatas Tondang Knocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula
  Mathieu Saulnier IRP Phishing
  Crypsis Securing O365 with PowerShell
  Aon Microsoft 365: Identifying Mailbox Access
  Will Oram Responding to sophisticated attacks on Microsoft 365 and Azure AD
  Frankie Li, Ken Ma and Eric Leung at Dragon Advance Tech Consulting Microsoft 365 Forensics Playbook
  Christopher Romano and Vaishnav Murthy at Crowdstrike Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365


Description Author Link
A dataset containing Office 365 Unified Audit Logs for security research and detection. Invictus Incident Response O365 Dataset

Google Workspace

ATT&CK Google Workspace

Investigation Research

Description Author Link
  Megan Roddie Automating Google Workspace Incident Response
  Megan Roddie GSuite Digital Forensics and Incident Response
  Splunk Threat Research Team Investigating GSuite Phishing Attacks with Splunk
  Arman Gungor at Metaspike Investigating Message Read Status in Gmail & Google Workspace
  Arman Gungor at Metaspike Gmail History Records in Forensic Email Investigations
  Arman Gungor at Metaspike Google Takeout and Vault in Email Forensics
  Megan Roddie at SANS Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response


Description Author Link
A dataset containing Google Workspace Logs for security research and detection. Invictus Incident Response GWS Dataset


Adversary Emulation Tools

Description Author Link
  MDSec o365-attack-toolkit

Phishing Toolkits

Description Author Link
  Kuba Gretzky Evilginx2
  Cult of Cornholio Solenya
  Black Hills Information Security CredSniper
  Mandiant ReelPhish
  Piotr Duszynski Modiishka

Investigation Tools

Description Author Link
Automate the security assessment of Microsoft Office 365 environments Soteria Security 365Inspect
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations ANSSI-FR DFIR-O365RC
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments CrowdStrike CrowdStrike Reporting Tool for Azure (CRT)
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 CISA Aviary/SPARROW
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. T0pCyber Hawk
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Mandiant Mandiant AzureAD Investigator
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. Glen Scales O365 InvestigationTooling
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) PwC IR MIA-MailItemsAccessed
This script makes it possible to extract log data out of an Office365 environment. JoeyRentenaar Office 365 Extractor
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. Fernando Tomlinson Invoke-AZExplorer
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. Ian Day o365AuditParser
DART AzureAD IR Powershell Module Microsoft DART AzureADIncidentResponse
Magnet AXIOM Cloud Magnet Forensics Magnet AXIOM Cloud
Metaspike Forensic Email Collector Metaspike Metaspike Forensic Email Collector
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. Invictus IR Blue-team-app-Office-365-and-Azure
Script to retrieve information via O365 and AzureAD with a valid cred nyxgeek o365recon
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. Darkquasar AzureHunter
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. Phil Hagen at SANS SOF-ELK
A collection of scripts for finding threats in Office365 Martin Rothe Py365
Parsing the O365 Unified Audit Log with Python Koen Van Impe O365-python-parse
Identifying phishing page toolkits Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis Phoca
An Open Source PowerShell O365 Business Email Compromise Investigation Tool intrepidtechie KITT-O365-Tool
Tooling for assessing an Azure AD tenant state and configuration Microsoft Microsoft Azure AD Assessment
This suite of scripts contains two different scripts that can be used to acquire the Microsoft 365 Unified Audit Log Invictus IR Microsoft 365 Extractor Suite
ROADtools is a framework to interact with Azure AD Dirk-jan ROADtools


Description Author Link
  David Cowen, Pierre Lidome, Josh Lemon at SANS FOR509: Enterprise Cloud Forensics and Incident Response