foyl Scenarios / BEC-001
High Financial Fraud Blocked 4 tools ~15 min walkthrough

CEO Wire Fraud

A threat actor impersonates CEO M. Reynolds using m-reynolds-ceo@gmail.com and emails j.whitfield asking for a $47,500 wire transfer to Trident Capital Partners LLC. MailGuard catches it as THREAT-002 and blocks the email. SOAR playbook PB-008 triggers, though it's currently in draft. Meanwhile, Identity flags a suspicious inbox rule on j.whitfield's account that forwards emails with keywords like "invoice", "wire", and "payment" to an external address, suggesting prior account access.

Attack chain
01
Impersonation
Gmail lookalike m-reynolds-ceo@gmail.com
T1583.008
02
BEC Email
Wire request to j.whitfield. $47,500 to Trident Capital Partners
T1566.001
03
Intercepted
MailGuard blocks THREAT-002. SOAR PB-008 (draft) triggered
T1657
Tool involvement
Email
BEC-001 · THREAT-002 (blocked, gmail impersonation) BEC Cases ↗
Identity
RISK-011 — j.whitfield inbox rule forwarding invoice/wire/payment keywords Protection ↗
SOAR
CASE-2024-0218 · PB-008 BEC Wire Fraud Prevention (draft) Cases ↗
CASB
DLP-002 — j.whitfield WeTransfer to acme-industr1al.com DLP ↗
Key concepts covered

Techniques in this scenario

BEC Business Email Compromise: impersonating an executive or vendor to trick employees into transferring money or data
Lookalike domain A domain that looks like a legitimate one at a glance. Here it's a Gmail address with the CEO's name rather than a real corporate domain
Inbox rule A mail forwarding rule set by an attacker after gaining access, used to silently copy emails to an external address for reconnaissance
Draft playbook PB-008 exists but hasn't been approved for production. A good discussion point: what's the risk of a playbook that fires but can't take action?
Instructor walkthrough

Click each step to expand. Open the linked tool page, walk through what's there, then ask the discussion questions.

01 Email Show the BEC email and why it's hard to spot

Open MailGuard and go to BEC Cases. Find BEC-001. Then go to Threats and open THREAT-002. Show the email: it's from m-reynolds-ceo@gmail.com addressed to j.whitfield, asking for a wire transfer that needs to go out today. Point out what makes it convincing: the sender name matches the CEO, the request has urgency baked in, and it asks to keep it confidential. The only giveaway is the Gmail domain.

Open BEC Cases ↗
AskWhat are the red flags in this email that an end user might miss? What training would help them spot it?
AskWhy does the attacker use a Gmail address instead of spoofing the real domain? What's the tradeoff for them?
02 Identity Find the suspicious inbox rule

Open Identity and go to Protection. Find RISK-011 for j.whitfield. Show the inbox forwarding rule: emails containing "invoice", "wire", "payment", or "transfer" are being silently forwarded to billing@acme-industr1al.com — the same homoglyph domain used in VF-001. This rule was created from IP 203.0.113.99 (unknown external) and wasn't created by j.whitfield. It suggests the attacker already had access to the mailbox before sending the BEC email, possibly doing financial workflow reconnaissance first.

Open Protection ↗
AskWhy would an attacker set up an inbox rule before sending a BEC email? What information are they gathering?
AskHow would you detect inbox forwarding rules being created at scale across the organization?
03 SOAR Look at the draft playbook

Open SOAR and go to Cases. Find CASE-2024-0218. Then go to Playbooks and open PB-008 BEC Wire Fraud Prevention. Show that it's in draft status, which means it fired but couldn't take automated action. Walk through what the playbook would do if approved: notify the finance team, put a hold on outbound wire transfers, quarantine the email thread, and kick off an identity investigation for j.whitfield. This is a good moment to discuss how an incomplete playbook still creates value by surfacing the case.

Open Cases ↗
AskA playbook in draft fires but can't act. Is that better or worse than no playbook at all?
AskWhat approval process should exist before a BEC playbook is allowed to automatically freeze wire transfers?
04 CASB Check CASB for related data movement

Open CASB and go to DLP. Find DLP-002 for j.whitfield: a WeTransfer upload to a destination containing acme-industr1al.com (that's a homoglyph domain, the "1" in "industr1al"). This is a data transfer that happened two hours after j.whitfield received the BEC email. It's possible j.whitfield was responding to the attacker. This connects BEC-001 to the VF-001 vendor fraud scenario and shows how attackers run parallel operations.

Open DLP ↗
AskDoes this WeTransfer upload prove that j.whitfield was compromised, or are there other explanations? How do you investigate further?
AskHow does CASB catch the homoglyph domain? What detection method makes that possible?