Log Reconstruction & Threat Hunting: Deep-Dive into Automated Business Email Compromise

Brya Patterson, Winter 2025, University of Washington, MS Information Management (MSIM)

Brya K. Patterson

Executive Summary

  1. The Mission: Conduct a deep-dive forensic investigation into a multi-stage Business Email Compromise (BEC) attack as part of the UW MSIM Cybersecurity curriculum. The goal was to reconstruct a fragmented 360 MB Unified Audit Log (UAL) to identify the "blast radius" of a 30-day intrusion.
  2. Impact: The investigation uncovered the compromise of about 20 unique user accounts and the automated exfiltration of over 5,000 sensitive mail items via "mailbox dumping" scripts.
  3. Core Capabilities: Utilized Python (Pandas) and DuckDB for log normalization and SQL-based behavioral analysis, mapping attacker tactics to the MITRE ATT&CKĀ® Framework (T1566 & T1114.002).



The Results

The analysis successfully identified a sophisticated tenant-level takeover. The attacker utilized a distributed proxy network and automated "0-second" authentication gaps to bypass security baselines. Most critically, the project documented a privilege escalation where the SYSTEM account was used to grant FullAccess to the Discovery Search Mailbox, providing the attacker with global search capabilities across the firm.


Forensic Log Reconstruction

Managed over 100,000 records by merging fragmented CSVs and standardizing mixed timestamps into UTC, optimizing the dataset for high-performance SQL analysis in DuckDB.

Threat Hunting & Automation

Identified "Bridge IPs" and used authentication velocity to prove script automation. Discovered rules used to silence alerts and facilitate conversation thread hijacking.

Remediation Strategy

Developed a recovery plan focusing on session revocation, programmatic removal of malicious rules, and the transition toward a Zero Trust architecture.

View Full Case Study

Overview

This forensic investigation reconstructs a sophisticated, multi-stage Business Email Compromise (BEC) attack targeting a professional services firm. What began as a single credential phishing link early August, evolved into a 30-day intrusion that compromised over 20 unique user accounts. By analyzing about 300 MB of fragmented Microsoft 365 Unified Audit Logs, this study unmasks the technical maneuvers used by attackers to transition from simple identity theft to a total tenant-level administrative takeover.

By leveraging Python-based log normalization and behavioral anomaly detection, the investigation identifies how the attacker bypassed security baselines using distributed proxy networks and automated "mailbox dumping" scripts to exfiltrate over 5,000 sensitive items.

Analytical Framework: Investigation Methodology

To transform fragmented raw datasets into a defensible attacker timeline, the analysis was structured around four forensic objectives:

  1. Log Reconstruction: Merging fragmented CSV files and standardizing 100,000+ mixed timestamps into a consistent UTC "source of truth".
  2. Behavioral Telemetry: Using SQL window functions to calculate "Authentication Velocity," identifying sub-second login gaps that prove automated scripting.
  3. Persistence Detection: Identifying hidden "AlwaysDelete" inbox rules and unauthorized eDiscovery permissions used to silence security alerts.
  4. Blast Radius Quantification: Mapping the "Bridge IP" across the environment to identify every compromised account and stolen mail item.

Key Insights

  • Scripted Velocity: The attacker utilized automated tools to access mailboxes in bursts, often accessing hundreds of items with a 0-second gap between events.
  • The "AlwaysDelete" Maneuver: Malicious rules were deployed to automatically move vendor replies and security warnings to hidden folders (e.g., RSS Feeds), allowing the attacker to operate undetected for 30 days.
  • Administrative Takeover: The attack culminated in an unauthorized escalation where the SYSTEM account granted FullAccess to the Discovery Search Mailbox, providing the attacker global search capabilities across the entire firm.
  • Financial Thread Hijacking: The attacker specifically targeted active invoice threads, inserting fraudulent banking details into trusted, existing email chains.

Remediation Roadmap

  • Immediate Containment: Revocation of all compromised account sessions and programmatic deletion of identified malicious inbox rules.
  • Strategic Defense: Implementation of mandatory Multi-Factor Authentication (MFA) and the disabling of legacy protocols (POP/IMAP) to prevent automated credential testing.
  • Zero Trust Architecture: Transitioning from perimeter-based security to a Zero Trust model to mitigate the impact of administrative privilege escalation.

Resources