detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Stars6.1k

Favorites0

Comments0

AddedMay 9, 2026

CategoryIncident Response

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-business-email-compromise

Curation Score

This skill scores 82/100, which means it is a solid listing candidate for directory users who need a BEC-focused detection workflow. The repository shows real operational content—structured detection workflows, a template, standards references, and runnable scripts—so an agent can likely trigger and use it with less guesswork than a generic prompt. Users should still expect some adoption friction because the SKILL.md excerpt does not show an install command or a fully visible end-to-end quick-start in the evidence provided.

82/100

Strengths

Clear BEC-specific trigger and use cases for incident investigation, rule building, and SOC analysis.
Strong operational support from workflow docs, detection templates, and standards/reference files.
Repository includes scripts for email/header analysis and BEC indicator detection, showing real workflow leverage.

Cautions

The evidence does not show an install command in SKILL.md, which may make onboarding less immediate.
Some file excerpts are truncated, so users may need to inspect the repo for full execution details and edge-case handling.

Email Security Phishing Social Engineering Security Operations Microsoft Graph Outlook Python

Overview

Overview of detecting-business-email-compromise skill

What this skill does

The detecting-business-email-compromise skill helps you identify and triage Business Email Compromise (BEC) attempts by combining email-header checks, social-engineering clues, and response-oriented detection logic. It is best for analysts, SOC teams, and incident responders who need a practical detecting-business-email-compromise guide rather than a generic phishing prompt.

Best-fit use cases

Use this detecting-business-email-compromise skill when an email requests a wire, changes vendor banking details, pressures someone to act fast, or appears to come from an executive or trusted partner. It also fits detecting-business-email-compromise for Incident Response when you need to confirm whether the message was merely delivered, whether similar messages were sent, or whether an account compromise has already started.

What makes it different

This repository is not just awareness content. It includes detection categories, workflow logic, standards mapping, and scripts that support analysis of headers and message content. That makes the detecting-business-email-compromise skill install decision easier for teams that want operational detection support, not just policy language.

How to Use detecting-business-email-compromise skill

Install and inspect the skill

Install the detecting-business-email-compromise skill with your directory’s normal skill workflow, then open skills/detecting-business-email-compromise/SKILL.md first. Read references/workflows.md for the investigation flow, references/standards.md for rule categories and control mapping, and references/api-reference.md for header and pattern examples before trying to adapt it.

Give the skill the right inputs

The detecting-business-email-compromise usage works best when you provide the email source, suspected business context, and the decision you want. Strong inputs name the sender, recipient, display name, message body, headers, and what triggered concern.

Example input shape:

“Review this .eml for CEO impersonation and payment redirection.”
“Check whether this vendor email is a BEC attempt or a normal invoice change.”
“Analyze these headers and body text for reply-to mismatch and urgency language.”

Turn a rough ask into a usable prompt

A weak prompt says, “Detect BEC.” A stronger prompt says: “Use the detecting-business-email-compromise skill to assess this inbound message for BEC indicators. Focus on display-name spoofing, reply-to mismatch, payment change language, urgency pressure, and whether the headers suggest spoofing or account compromise. Return likely BEC type, confidence drivers, and immediate containment steps.”

Practical workflow for better output

Start with the message and headers, then ask for classification, indicators, and next action. If you already know the scenario, say whether it is CEO fraud, invoice fraud, gift card fraud, or account compromise. That lets the skill prioritize the right indicators instead of scoring every generic phishing trait equally.

detecting-business-email-compromise skill FAQ

Is this better than a normal prompt?

Yes, if you need repeatable analysis. A plain prompt can spot obvious phishing, but the detecting-business-email-compromise skill is more useful when you want BEC-specific checks such as executive impersonation, payment-change requests, forwarding-rule abuse, and incident-response follow-up.

Can beginners use it?

Yes, but only if they can provide the email text or header data. Beginners get the most value from the detecting-business-email-compromise guide when they treat it as a structured checklist for one suspicious message, not as a broad cybersecurity encyclopedia.

What are the main boundaries?

This skill is designed for BEC detection and response, not malware analysis or generic spam filtering. If the problem is a malicious attachment, credential-harvest page, or endpoint compromise with no email component, this is the wrong primary skill.

When should I not install it?

Skip it if your team only needs high-level awareness training. Also skip it if you cannot inspect message metadata or if your workflow never handles finance, HR, executive mail, or vendor-payment requests, because those are the strongest fit areas for detecting-business-email-compromise.

How to Improve detecting-business-email-compromise skill

Provide evidence, not just suspicion

The detecting-business-email-compromise skill improves when you include From, Reply-To, display name, subject, body text, and Authentication-Results. If you have the raw .eml, attach that instead of summarizing it, because header alignment and reply-path differences often decide the result.

Tell it which BEC pattern you suspect

A stronger detecting-business-email-compromise usage prompt names the likely pattern: CEO fraud, invoice fraud, attorney impersonation, data theft, or account compromise. That helps the skill weigh urgency language, vendor-payment edits, executive titles, or HR data requests more accurately.

Watch for common failure modes

The most common mistake is asking for a verdict without context. Another is omitting the finance or business process details that make a message risky, such as who is authorized to approve payments or whether the sender is a known vendor. If you want better detecting-business-email-compromise install results, supply the operational context up front.

Iterate after the first pass

After the first output, ask for one narrower follow-up: “List the strongest indicators only,” “Show why this is or is not account compromise,” or “Draft the containment steps for finance and SOC.” That keeps the skill focused and turns the first analysis into a usable incident-response action plan.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

containing-active-breach

by mukul975

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

Incident Response

Favorites 0GitHub 0

configuring-suricata-for-network-monitoring

by mukul975

The configuring-suricata-for-network-monitoring skill helps deploy and tune Suricata for IDS/IPS monitoring, EVE JSON logging, rules management, and SIEM-ready output. It suits the configuring-suricata-for-network-monitoring for Security Audit workflow when you need practical setup, validation, and false-positive reduction.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

detecting-anomalous-authentication-patterns

by mukul975

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

Security Audit

Favorites 0GitHub 0