>Sudo Savvy logo sudo-savvy:~$

~/tools/bec-checker

>BEC Checker

Investigating a suspected Business Email Compromise? Enter the account's email address (UPN) and, as your investigation progresses, add the suspicious IPs you find — every hunt query below updates live and narrows to those IPs. Pick your hunting platform — Microsoft Defender XDR (Advanced Hunting, Timestamp) or Microsoft Sentinel (Log Analytics, TimeGenerated) — and the queries rewrite themselves with the right table and column names. It covers access-origin triage, mail objectives, OAuth consent phishing, and attacker device-code / device & MFA registration persistence; the portal steps cover what KQL can't reach. Nothing is sent anywhere — this all runs in your browser. Powered by the >SudoTrace BEC module.

./configure --investigation
🔍 not sure which data sources you have? — detect them

Run this one query in your portal. Any table it returns is one you have (Rows > 0 = data in the last 7 days); tables missing from the results are ones your tenant/licence doesn't provide (isfuzzy=true skips them instead of erroring). Then tick the boxes above to match.

Entra ID P2 EntraIdSignInEvents · EntraIdSpnSignInEvents · SigninLogs (risk fields)
Defender for Office 365 EmailEvents · EmailUrlInfo · UrlClickEvents
Defender for Endpoint DeviceLogonEvents
Defender for Cloud Apps CloudAppEvents · OAuthAppInfo
Defender for Identity / UEBA IdentityInfo
no extra licence AuditLogs · GraphApiAuditEvents · MicrosoftGraphActivityLogs · base SigninLogs (need Entra diagnostic export to Sentinel)
© 2026 >Sudo Savvy