Enterprise-grade Business Email Compromise (BEC) detection and response toolkit for Microsoft 365 environments. Built for organizations that canβt afford expensive SIEM/SOAR solutions like Darktrace, Splunk, or CrowdStrike.
Author: Don Cook | TryHackMe: Top 1% (scrizo) | Role: Security Engineer
Enterprise security tools cost $100Kβ500K+ annually. This toolkit provides comparable BEC detection capabilities for free using native Microsoft tools and PowerShell automation.
Real-world impact: Used to detect and contain a BEC incident in under 18 hours, preventing $500K+ in wire fraud.
- β Malicious mail rules (hiding internal emails, forwarding, deletion)
- β Impossible travel patterns (geographic anomalies)
- β Risky user detection (Azure AD Identity Protection integration)
- β Failed authentication patterns (brute force, password spray)
- β MFA fatigue attacks (repeated MFA prompts)
- β Suspicious OAuth applications (dangerous permissions)
- β Mailbox delegation abuse (unauthorized access)
- β Mailbox audit log forensics (covering tracks detection)
- β One-click remediation for common threats
- β Automatic CSV reporting with findings
- β Attack timeline reconstruction
- β Email notifications for critical findings
- β Interactive prompts for high-risk actions
- β Scan 600+ mailboxes in minutes
- β Pattern detection across organization
- β Detailed audit trails
- β Customizable alert thresholds
- β No additional licensing required
# Install required modules
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
Install-Module -Name Microsoft.Graph -Scope CurrentUser# Detect malicious mail rules
.\Scripts\Check-MaliciousMailRules.ps1
# Comprehensive BEC detection (all indicators)
.\Scripts\Invoke-BECDetection.ps1
# Specific user investigation
.\Scripts\Invoke-BECDetection.ps1 -UserPrincipalName user@domain.comDetects rules that:
- Hide internal emails (@yourdomain.com)
- Delete messages automatically
- Forward to external addresses
- Move to hidden folders (RSS, Archive)
- Mark as read (hiding new messages)
Example output:
[!] HIGH RISK RULE DETECTED!
User: user@domain.com
Rule: ...
Actions: Moves to RSS Subscriptions, Marks as read
Targets Internal: Yes
Flags sign-ins from different countries within hours:
Route: United States β Russia (45 minutes)
User: executive@domain.com
First IP: 203.0.113.50 | Second IP: 198.51.100.20
Integrates with Microsoft's threat intelligence:
- Leaked credentials
- Malicious IP addresses
- Unfamiliar sign-in properties
- Anonymous IPs (Tor, VPN)
Builds chronological view of compromise:
2025-10-20 09:15 - Sign-in from Russia (Risk: High)
2025-10-20 09:20 - Inbox rule created: "..."
2025-10-20 09:25 - 50 emails moved to RSS folder
2025-10-20 09:30 - Password changed
Canβt afford enterprise SIEM? Use this toolkit for automated BEC detection with zero licensing costs.
Limited security budget? Get enterprise-grade detection using native M365 tools.
Protect multiple clients without per-tenant licensing fees.
Supplement existing tools with PowerShell automation and custom detections.
Scenario: User clicks phishing link, credentials stolen, attacker creates malicious mail rules.
Detection (18 minutes):
PS> .\Scripts\Check-MaliciousMailRules.ps1
[!] HIGH RISK RULE DETECTED!
User: finance@company.com
Rule: "..."
Actions: Hides @company.com emails in RSS folder
Do you want to DISABLE this rule now? (Y/N): Y
[β] Rule disabled successfully!Result: BEC contained in <18 hours, $500K+ fraud prevented.
| Enterprise Tool | Annual Cost | This Toolkit |
|---|---|---|
| Darktrace | $100Kβ300K | FREE |
| Splunk Security | $150Kβ500K | FREE |
| CrowdStrike Falcon | $50Kβ150K | FREE |
| Proofpoint TAP | $30Kβ100K | FREE |
Total potential savings: $330Kβ1M+ annually
Contributions welcome! Please read CONTRIBUTING.md for:
- Bug reports
- Feature requests
- Pull request guidelines
- Code of conduct
MIT License β Free for personal and commercial use. See LICENSE for details.
This toolkit is provided "as-is" for educational and defensive security purposes. Always test in non-production environments first. The author is not responsible for misuse or damage caused by these tools.
- Built from real-world incident response experience
- Inspired by the need for accessible enterprise security
- Community feedback and contributions welcome
Author: Don Cook TryHackMe: Top 1% - scrizo LinkedIn: [LinkedIn] Issues: GitHub Issues
If this toolkit prevented a breach at your organization, consider:
- β Starring the repository
- π Reporting bugs or suggesting features
- π¬ Sharing with other security professionals
- β Buying me a coffee (optional)
Built by security professionals, for security professionals.