Workshop: Investigating M365 Business Email Compromise with Patterson Cake
Overview
- Course Length: 4 hours
- Support from expert instructors
- Includes a certificate of completion
Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.
Over 90% of cyber attacks begin with a phishing email. Despite end-user education efforts, implementation of multi-factor authentication, and advanced email filtering, successful business email compromise (BEC) is on the rise! Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise. Patterson will review threat-actor BEC standard operating procedures, discuss detecting and investigating M365 BEC, and perform hands-on labs using M365 native functions and SOF-ELK for “Unified Audit Log” (UAL) ingestion and investigations.
Pre-Requisites
Student Knowledge: A basic familiarity with M365 is beneficial but not required.
Syllabus
- The Anatomy of an M365 Business Email Compromise (BEC)
- Common Characteristics of Current M365 BEC Attacks
- Common Characteristics of Current M365 BEC Attacks
- Threat-Actor BEC Standard Operating Procedures (SOP)
- BEC Investigative Methodology
- Deriving Indicators of Compromise (IOCs) from SOPs
- Reviewing M365 Log & Audit Data
- Introduction to SOF-ELK
- Exporting and Investigating M365 Data with SOF-ELK
- SOF-ELK Tips, Tricks & Queries (hands-on lab)
- An M365 BEC Case Study
- An Overview of the M365 “Unified Audit Log” (UAL)
- Investigating an M365 BEC Case Using SOF-ELK and the M365 UAL (hands-on lab)
System Requirements:
- x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization
(Apple Silicon is currently not supported) - A computer with at least 8 GB of RAM. 16 GB is recommended
- VMWare Workstation or VMWare Fusion (VirtualBox and other VM software is not supported)
- Full Administrator/root access to your computer or laptop
- System should also have at least 50GB of available disk space to accommodate one VM
- Internet access to download the course VM (approx. 5 GB)
Lab Requirements:
To make the most of this workshop, please complete the following before the workshop begins:
- Download the course lab virtual machine (links and instructions below)
- Download and complete the “lab setup” guide (link below)
- Join the BHIS “webcast-live-chat” Discord Channel – https://discord.gg/BHIS
The workshop will be presented via Zoom…and discussion/support will be provided through Discord!
You can complete the workshop labs using the course VM and a browser on your host computer.
Download and run Local VM:
To use the M365 BEC Workshop VM, you will need either VMWare Workstation or VMWare Player (links to downloads/trials are in the setup guide). The VM requires approx. 50 GB of total disk space, utilizes 4 CPU/4 GB RAM by default, and has NAT enabled.
IMPORTANT: The M365 BEC Workshop virtual machine will NOT run on ARM-based processors (Apple Silicon/M1/M2). You will need a computer with an x64 processor.
Virtual Machine Download (approx. 5 GB): https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/M365-BEC-SOF-ELK.ovaLab Setup Guide: https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/START-HERE-VM-Setup-Guide.pdf
There are no scheduled live dates for this course at this time. Private training may be available.
Similar Courses
Course Categories:
Forensics, Incident Response, Microsoft Windows, Pay What You Can, Workshop