From Security Operations
Use this skill when Business Email Compromise (BEC) is suspected or confirmed for a client. Covers how to detect the signs from CIPP/M365 audit logs and connected email security vendor alerts, the immediate response sequence (session revocation, forwarding-rule audit, mailbox rule cleanup, password reset, MFA re-enrollment), and how to document the incident timeline for a client-facing report.
How this skill is triggered — by the user, by Claude, or both
Slash command
/secops-pack:bec-responseWhen to use
When Business Email Compromise is suspected or confirmed, or when signs of it need to be checked for proactively. Use when: BEC, business email compromise, invoice fraud, wire fraud email, suspicious forwarding rule, mailbox compromised, executive email compromised, phishing led to account takeover, someone is impersonating our client's email.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Business Email Compromise is the highest financial-impact incident class
Business Email Compromise is the highest financial-impact incident class most MSPs handle, and it is also one of the easiest to miss early because the attacker's goal is to look exactly like the legitimate mailbox owner for as long as possible. There is rarely a malware payload to detect — the "malware" is a valid session token and a quietly added inbox rule. This skill covers how to detect BEC from the connected M365 tenant and any connected email security vendor, and the response sequence once it's confirmed or strongly suspected.
Call conduit__search_tools to confirm which of CIPP, the M365/Entra
connector, and an email security vendor (Mimecast / Proofpoint / Abnormal /
Ironscales / Avanan / SpamTitan) are actually connected for this client. CIPP
is the primary source for this skill — it exposes M365 audit logs, mailbox
rules, and BEC-specific checks directly. If CIPP is not connected, note that
explicitly: the detection signs below still apply conceptually, but they
must be checked through whatever admin console access is available instead.
An email security vendor, if connected, adds inbound-side signal (the
phishing message that led to the compromise) that CIPP alone won't show.
Pull these signals — do not wait for all of them before acting on strong individual signals, but corroborate wherever possible:
| Signal | Where to look | What it looks like |
|---|---|---|
| Anomalous sign-in | CIPP / Entra audit logs | Impossible travel, sign-in from an unfamiliar ASN/country, sign-in immediately followed by mailbox configuration changes |
| New or modified inbox rule | CIPP mailbox rule listing | A rule that forwards, deletes, or moves messages matching finance/invoice/wire-related keywords — especially rules that move matching mail straight to an obscure folder or delete it, hiding replies from the real recipient |
| External forwarding rule | CIPP mailbox rule / forwarding configuration | Auto-forward to an external domain the organization doesn't use, often silently enabled without a visible rule in the client UI |
| BEC-pattern indicators | CIPP's BEC-focused check (e.g. cipp__bec_check-style tooling — confirm the exact tool name via conduit__search_tools) | Correlated signals CIPP flags specifically as BEC-shaped: new inbox rule plus anomalous sign-in plus external forwarding in the same session |
| Inbound phishing / impersonation alert | Connected email security vendor | A message that impersonates a vendor, executive, or the client's own domain, especially one referencing an invoice, wire transfer, or payment change |
| Reported anomaly from the client | PSA ticket / direct report | "This doesn't look like an email I sent," a client asking to confirm a wire change, or a vendor asking whether a payment-details email was legitimate |
Any one of these alone is enough to open an investigation. The combination of an anomalous sign-in plus a new inbox/forwarding rule in the same session is close to a confirmed BEC and should move straight to the response sequence below rather than waiting for further corroboration.
Order matters — earlier steps stop later damage; doing them out of order leaves gaps:
A BEC incident report needs a defensible, chronological record — clients frequently need this for a cyber-insurance claim or a bank fraud dispute. Capture, with timestamps for each:
For building the full client-facing report, hand this off to the
Incident Timeline Builder agent
or the /secops-pack:incident-report command — this skill covers detection
and first response; the timeline builder assembles the complete
chronological narrative across every connected system.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin secops-packGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.