Sign up for our free Threat Hunting Summit June 17 Register Here

Workshop: Investigating M365 Business Email Compromise

Course Authored by .

Workshop: Investigating M365 Business Email Compromise with Patterson Cake

Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.

Course Length: 4 Hours

Includes a Certificate of Completion



Description

Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.

Over 90% of cyber attacks begin with a phishing email. Despite end-user education efforts, implementation of multi-factor authentication, and advanced email filtering, successful business email compromise (BEC) is on the rise!  Join us for this pay-what-you-can, hands-on, virtual workshop from Antisyphon Instructor, Patterson Cake on investigating M365 business email compromise.  Patterson will review threat-actor BEC standard operating procedures, discuss detecting and investigating M365 BEC, and perform hands-on labs using M365 native functions and SOF-ELK for “Unified Audit Log” (UAL) ingestion and investigations.

  • System Requirements
    • x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization (Apple Silicon is currently not supported)
    • A computer with at least 8 GB of RAM. 16 GB is recommended
    • VMWare Workstation or VMWare Fusion (VirtualBox and other VM software is not supported)
    • Full Administrator/root access to your computer or laptop
    • System should also have at least 50GB of available disk space to accommodate one VM
    • Internet access to download the course VM (approx. 5 GB)
  • Lab Requirements (To make the most of this workshop, please complete the following before the workshop begins)
    • Download the course lab virtual machine (links and instructions below)
    • Download and complete the “lab setup” guide (link below)
    • Join the BHIS “webcast-live-chat” Discord Channel - https://discord.gg/BHIS 
    • The workshop will be presented via Zoom…and discussion/support will be provided through Discord!
    • You can complete the workshop labs using the course VM and a browser on your host computer.
  • Download and run Local VM
    • To use the M365 BEC Workshop VM, you will need either VMWare Workstation or VMWare Player (links to downloads/trials are in the setup guide). The VM requires approx. 50 GB of total disk space, utilizes 4 CPU/4 GB RAM by default, and has NAT enabled.
    • IMPORTANT: The M365 BEC Workshop virtual machine will NOT run on ARM-based processors (Apple Silicon/M1/M2). You will need a computer with an x64 processor.
    • Virtual Machine Download (approx. 5 GB): https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/M365-BEC-SOF-ELK.ovaLab Setup Guide:  https://securecake.nyc3.cdn.digitaloceanspaces.com/m365_bec/START-HERE-VM-Setup-Guide.pdf

Syllabus

    • The Anatomy of an M365 Business Email Compromise (BEC)

        • Common Characteristics of Current M365 BEC Attacks

        • Common Characteristics of Current M365 BEC Attacks

        • Threat-Actor BEC Standard Operating Procedures (SOP)

    • BEC Investigative Methodology

        • Deriving Indicators of Compromise (IOCs) from SOPs

        • Reviewing M365 Log & Audit Data

    • Introduction to SOF-ELK

        • Exporting and Investigating M365 Data with SOF-ELK

        • SOF-ELK Tips, Tricks & Queries (hands-on lab)

    • An M365 BEC Case Study

        • An Overview of the M365 “Unified Audit Log” (UAL)

        • Investigating an M365 BEC Case Using SOF-ELK and the M365 UAL (hands-on lab)

FAQ

Pre-Requisites

Student Knowledge:  A basic familiarity with M365 is beneficial but not required.

About the Instructor

Pixel splash background
Bio

Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.

Related products

Shopping Cart

No products in the cart.