Awesome-BEC

Repository of attack and defensive information for Business Email Compromise investigations

Office365/AzureAD

• ATT&CK O365
• ATT&CK Azure
• Microsoft Azure Threat Research Matrix
• Microsoft 365 Licensing
• Microsoft Portals
• Azure App IDs

Attack/Defend Research

Author	Link
Lina Lau	Backdoor Office 365 and Active Directory - Golden SAML
Lina Lau	Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I
Lina Lau	Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
Mike Felch and Steve Borosh	Socially Acceptable Methods to Walk in the Front Door
Mandiant	Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
Andy Robbins at SpecterOps	Azure Privilege Escalation via Service Principal Abuse
Emilian Cebuc & Christian Philipov at F-Secure	Has anyone seen the principal?
nyxgeek at TrustedSec	Creating A Malicious Azure AD Oauth2 Application
Lina Lau	How to Backdoor Azure Applications and Abuse Service Principals
Lina Lau	How to Detect Azure Active Directory Backdoors: Identity Federation
Doug Bienstock at Mandiant	PwnAuth
Steve Borosh at Black Hills Information Secucirty	Spoofing Microsoft 365 Like It’s 1995
Avertium	MITM Attacks - Evilproxy and Evilginx
Aon Cyber Labs	Bypassing MFA: A Forensic Look At Evilginx2 Phishing Kit
Sofia Marin	Incident Response Series: Chapter #1 Phishing and cookie stolen with Evilginx.
Sofia Marin	Incident Response Series: Chapter #3 The Impact and Subscription Theft as Exfiltration
Anish Bogati	Tricked by trust: How OAuth and device code flows get abused

Investigation Research

Author	Link
Devon Ackerman (SANS DFIR Summit 2018)	A Planned Methodology for Forensically Sound IR in Office 365
Matt Bromiley	Business Email Compromise; Office 365 Making Sense of All the Noise
PWC IR	Business Email Compromise Guide
Korstiann Stam (SANS DFIR Summit 2021)	A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
M365 Internals	Everything About Service Principals, Applications, And API Permissions
M365 Internals	What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
M365 Internals	Incident Response In A Microsoft Cloud Environment
M365 Internals	Incident Response Series: Reviewing Data In Azure AD For Investigation
M365 Internals	Incident Response Series: Collecting And Analyzing Logs In Azure Ad
Microsoft	How automated investigation and response works in Microsoft Defender for Office 365
Microsoft	Incident Response playbooks
Brendan Mccreesh	Matching the O365 MachineID to a computer’s MachineGUID
BushidoToken	Abused legitimate services
Dave Herrald and Ryan Kovar (SANS CTI Summit 2019)	How to Use and Create Threat Intelligence in an Office 365 World
Mangatas Tondang	Knocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula
Mathieu Saulnier	IRP Phishing
Crypsis	Securing O365 with PowerShell
Aon	Microsoft 365: Identifying Mailbox Access
Will Oram	Responding to sophisticated attacks on Microsoft 365 and Azure AD
Frankie Li, Ken Ma and Eric Leung at Dragon Advance Tech Consulting	Microsoft 365 Forensics Playbook
Christopher Romano and Vaishnav Murthy at Crowdstrike	Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365
Megan Roddie at SANS	Enterprise Cloud Forensics & Incident Response Poster
Thirumalai Natarajan Muthiah & Anurag Khanna (SANS DFIR Summit 2022)	Threat Hunting in Microsoft 365 Environment
Josh Lemon & Megan Roddie (SANS DFIR Summit 2022)	DFIR Evidence Collection and Preservation for the Cloud
Microsoft	Verify first-party Microsoft applications in sign-in reports
Douglas Bienstock at Mandiant	You Can’t Audit Me: APT29 Continues Targeting Microsoft 365
Lina Lau	How to Detect OAuth Access Token Theft in Azure
Michel De Crevoisier at Red Canary	Forward thinking: How adversaries abuse Office 365 email rules
Emily Parrish at Microsoft	Forensic artifacts in Office 365 and where to find them
Justin Schoenfeld and Zach Diehl at Red Canary	Cloud coverage: Detecting an email payroll diversion attack
CrowdStrike	Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
Aon	SCL -1: The Dangerous Side Of Safe Senders
Jon Hencinski	Seven ways to spot a business email compromise in Office 365
Emily Parrish at Microsoft	Good UAL Hunting
Invictus Incident Respone	Mastering Email Forwarding Rules in Microsoft 365
Microsoft Threat Intelligence	DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
Red Canary	Investigating legacy authentication: The curious case of "BAV2ROPC"
Dray Agha at Huntress	Threat Hunting for Business Email Compromise Through User Agents
Fabian Bader	EntraID-ErrorCodes
Patterson Cake at Black Hills Information Security	Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3)
Patterson Cake at Black Hills Information Security	Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 2 of 3)
Microsoft	New Microsoft Incident Response guides help security teams analyze suspicious activity
Mauricio Velazco at Splunk	Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
Huntress	Time Travelers Busted: How to Detect Impossible Travel
Invictus IR	Deep Dive: Forensic Analysis of eM Client

Secure configuration guidance

Author	Link
NCSC Ireland	Office 365 Secure Configuration Framework
CISA	Microsoft Office 365 Security Recommendations
CISA	Microsoft Expanded Cloud Logs Implementation Playbook

Datasets

Description	Author	Link
A dataset containing Office 365 Unified Audit Logs for security research and detection.	Invictus IR	O365 Dataset
Simulated activity within the Microsoft 365 platform exported using Microsoft Extractor Suite	blueteam0ps	det-eng-samples

Google Workspace

ATT&CK Google Workspace

Investigation Research

Description	Author	Link
	Megan Roddie (SANS DFIR Summit 2021)	Automating Google Workspace Incident Response
	Megan Roddie (BSides SATX)	GSuite Digital Forensics and Incident Response
	Splunk Threat Research Team	Investigating GSuite Phishing Attacks with Splunk
	Arman Gungor at Metaspike	Investigating Message Read Status in Gmail & Google Workspace
	Arman Gungor at Metaspike	Gmail History Records in Forensic Email Investigations
	Arman Gungor at Metaspike	Google Takeout and Vault in Email Forensics
	Megan Roddie at SANS	Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response
	Korstiaan Stam (SANS DFIR Summit 2022)	Detecting Malicious Actors in Google Workspace
	Invictus IR	Automated Forensic analysis of Google Workspace

Datasets

Description	Author	Link
A dataset containing Google Workspace Logs for security research and detection.	Invictus Incident Response	GWS Dataset

Tools

Adversary Emulation Tools

Author	Link
MDSec	o365-attack-toolkit
Daniel Chronlund	Microsoft 365 Data Exfiltration – Attack and Defend
Mauricio Velazco	msInvader

Phishing Toolkits

Author	Link
Kuba Gretzky	Evilginx2
Cult of Cornholio	Solenya
Black Hills Information Security	CredSniper
Mandiant	ReelPhish
Piotr Duszynski	Modiishka

Investigation Tools

Description	Author	Link
Automate the security assessment of Microsoft Office 365 environments	Soteria Security	365Inspect
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations	ANSSI-FR	DFIR-O365RC
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments	CrowdStrike	CrowdStrike Reporting Tool for Azure (CRT)
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020	CISA	Aviary/SPARROW
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure.	T0pCyber	Hawk
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.	Mandiant	Mandiant AzureAD Investigator
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API.	Glen Scales	O365 InvestigationTooling
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s)	PwC IR	MIA-MailItemsAccessed
This script makes it possible to extract log data out of an Office365 environment.	JoeyRentenaar	Office 365 Extractor
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis.	Fernando Tomlinson	Invoke-AZExplorer
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest.	Ian Day	o365AuditParser
DART AzureAD IR Powershell Module	Microsoft DART	AzureADIncidentResponse
Magnet AXIOM Cloud	Magnet Forensics	Magnet AXIOM Cloud
Metaspike Forensic Email Collector	Metaspike	Metaspike Forensic Email Collector
Metaspike Forensic Email Intelligence	Metaspike	Metaspike Forensic Email Intelligence
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment.	Invictus IR	Blue-team-app-Office-365-and-Azure
Script to retrieve information via O365 and AzureAD with a valid cred	nyxgeek	o365recon
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes.	Darkquasar	AzureHunter
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel.	Phil Hagen at SANS	SOF-ELK
A collection of scripts for finding threats in Office365	Martin Rothe	Py365
Parsing the O365 Unified Audit Log with Python	Koen Van Impe	O365-python-parse
Identifying phishing page toolkits	Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis	Phoca
An Open Source PowerShell O365 Business Email Compromise Investigation Tool	intrepidtechie	KITT-O365-Tool
Tooling for assessing an Azure AD tenant state and configuration	Microsoft	Microsoft Azure AD Assessment
ROADtools is a framework to interact with Azure AD	Dirk-jan	ROADtools
Automated Audit Log Forensic Analysis for Google Workspace	Invictus IR	ALFA
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments	CISA	Untitled Goose
PowerShell module to collect logs and rules from M365	Invictus IR	Microsoft Extractor Suite
A fork of the Hawk PowerShell module which adds additional data-gathing features and removes deprecated modules and commands.	Syne0	Osprey

Assessment Tools

Author	Link
CISA	ScubaGear M365 Secure Configuration Baseline Assessment Tool
CISA	ScubaGoggles GWS Secure Configuration Baseline Assessment Tool
Gerenios	AADInternals

Training

Author/s	Link
SANS	FOR509: Enterprise Cloud Forensics and Incident Response
Xintra	Attacking and Defending Azure & M365
Invictus Incident Response	Incident Response in the Microsoft Cloud training