Project
BEC Detection Toolkit for Microsoft 365
PhishTrace is a C# / .NET 10 forensic toolkit for detecting Business Email Compromise in Microsoft 365 environments. It consists of two complementary command-line tools.
UalBecDetector analyses the Microsoft 365 Unified Audit Log (UAL) for tenant-level BEC indicators by porting and extending the open-source UAL-Analyzer.ps1 PowerShell script by Lethal-Forensics. It retains the original catalogue of 73 detection rules while replacing the execution model with a maintainable, multi-user, single-pass pipeline.
Key improvements include:
PstBecDetector scans PST and OST mailbox files offline for message-level BEC indicators, including:
Validation on a real suspected BEC case of 3,394 UAL event records produced 454 findings. The severity distribution confirms parity with the original script, while the pre-classified output allows analysts to quickly confirm whether user accounts were compromised without manually sifting through thousands of raw log entries.
Together, the two tools give analysts both the tenant-wide audit perspective and the per-mailbox content perspective needed for a complete BEC investigation.
The intermediate version of my I-Force internship report, documenting the design, implementation and validation of PhishTrace a C# / .NET 10 forensic toolkit for detecting Business Email Compromise in Microsoft 365.
A two-tool forensic toolkit built during my I-Force internship for detecting Business Email Compromise across tenant-wide audit logs and per-mailbox content.