BEC Investigation

Investigate Business Email Compromise in Microsoft 365 tenants. Authenticate once, then scan mailboxes, sign-in logs, forwarding rules, OAuth grants, and more — all from the command line.

Setup Guide

CLIFree

Step-by-step Azure AD app registration and Microsoft 365 connection guide for BEC investigation.

Inbox Rules

CLIFree

Scan mailboxes for suspicious inbox rules — forwarding, hiding, and delete rules with risk scoring.

Sign-In Audit

CLIFree

Analyze Azure AD sign-in logs for authentication anomalies — impossible travel, MFA fatigue, legacy protocols.

Forwarding Audit

CLI5

Audit mailboxes for forwarding rules and mail exfiltration with risk scoring and external destination detection.

OAuth Audit

CLIFree

Audit OAuth/consent grants for malicious apps with publisher verification, permission analysis, and revocation guidance.

Timeline

CLI10

Build a unified BEC attack timeline correlating sign-ins, rules, OAuth, and audit logs into attack phases.

Lookalike Domains

CLIFree (local) / 5 (scan)

Detect typosquat and homoglyph domains with DNS, MX, WHOIS, and DMARC enrichment.

Report

CLIFree

Generate investigation reports — full JSON+HTML, executive summary, FBI IC3, and insurance proof-of-loss.