Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

Workshop: Investigating M365 Business Email Compromise with Patterson Cake

Investigating M365

Overview

  • Course Length: 4 hours
  • Support from expert instructors
  • Includes a certificate of completion
Instructor:

Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.

Over 90% of cyber attacks begin with a phishing email. Despite end-user education efforts, implementation of multi-factor authentication, and advanced email filtering, successful business email compromise (BEC) is on the rise!  Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.  Patterson will review threat-actor BEC standard operating procedures, discuss detecting and investigating M365 BEC, and perform hands-on labs using M365 native functions and SOF-ELK for “Unified Audit Log” (UAL) ingestion and investigations.

Pre-Requisites

Student Knowledge:  A basic familiarity with M365 is beneficial but not required.

Syllabus

  • The Anatomy of an M365 Business Email Compromise (BEC)
    • Common Characteristics of Current M365 BEC Attacks
    • Common Characteristics of Current M365 BEC Attacks
    • Threat-Actor BEC Standard Operating Procedures (SOP)
  • BEC Investigative Methodology
    • Deriving Indicators of Compromise (IOCs) from SOPs
    • Reviewing M365 Log & Audit Data
  • Introduction to SOF-ELK
    • Exporting and Investigating M365 Data with SOF-ELK
    • SOF-ELK Tips, Tricks & Queries (hands-on lab)
  • An M365 BEC Case Study
    • An Overview of the M365 “Unified Audit Log” (UAL)
    • Investigating an M365 BEC Case Using SOF-ELK and the M365 UAL (hands-on lab)

System Requirements:

  • x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization
    (Apple Silicon is currently not supported)
  • A computer with at least 8 GB of RAM. 16 GB is recommended
  • VMWare Workstation or VMWare Fusion (VirtualBox and other VM software is not supported)
  • Full Administrator/root access to your computer or laptop
  • System should also have at least 50GB of available disk space to accommodate one VM
  • Internet access to download the course VM (approx. 5 GB)

Lab Requirements:

To make the most of this workshop, please complete the following before the workshop begins:

  • Download the course lab virtual machine (links and instructions below)
  • Download and complete the “lab setup” guide (link below)
  • Join the BHIS “webcast-live-chat” Discord Channel – https://discord.gg/BHIS 

The workshop will be presented via Zoom…and discussion/support will be provided through Discord!

You can complete the workshop labs using the course VM and a browser on your host computer.

Download and run Local VM:

To use the M365 BEC Workshop VM, you will need either VMWare Workstation or VMWare Player (links to downloads/trials are in the setup guide). The VM requires approx. 50 GB of total disk space, utilizes 4 CPU/4 GB RAM by default, and has NAT enabled.

IMPORTANT: The M365 BEC Workshop virtual machine will NOT run on ARM-based processors (Apple Silicon/M1/M2). You will need a computer with an x64 processor.

Virtual Machine Download (approx. 5 GB): https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/M365-BEC-SOF-ELK.ovaLab Setup Guide:  https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/START-HERE-VM-Setup-Guide.pdf

There are no scheduled live dates for this course at this time. Private training may be available.

Course Inquiry

Course Workshop: Investigating M365 Business Email Compromise with Patterson Cake