project
A two-tool forensic toolkit built during my I-Force internship for detecting Business Email Compromise across tenant-wide audit logs and per-mailbox content.
PhishTrace is a C# / .NET 10 forensic toolkit for detecting Business Email Compromise in Microsoft 365 environments. It consists of two complementary command-line tools.
UalBecDetector analyses the Microsoft 365 Unified Audit Log (UAL) for tenant-level BEC indicators by porting and extending the open-source UAL-Analyzer.ps1 PowerShell script by Lethal-Forensics. It retains the original catalogue of 73 detection rules while replacing the execution model with a maintainable, multi-user, single-pass pipeline.
Key improvements include an explicit severity model, incident correlation, and a severity-routed Excel workbook that automatically classifies findings and presents them in an at-a-glance dashboard.
PstBecDetector scans PST and OST mailbox files offline for message-level BEC indicators, including phishing URLs, file-share lures, malicious SharePoint notifications, and domain reputation signals.
Validation on a real suspected BEC case of 3,394 UAL event records produced 454 findings. The severity distribution confirms parity with the original script, while the pre-classified output allows analysts to quickly confirm whether user accounts were compromised without manually sifting through thousands of raw log entries.
Together, the two tools give analysts both the tenant-wide audit perspective and the per-mailbox content perspective needed for a complete BEC investigation.
The intermediate version of my I-Force internship report, documenting the design, implementation and validation of PhishTrace a C# / .NET 10 forensic toolkit for detecting Business Email Compromise in Microsoft 365.
An enjoyable, hands-on Tech & Meet at Howest with Kevin De Rudder, live demos, C# updates, Aspire and Blazor, and a security angle on why cleaner code makes systems easier to defend.