detecting-email-account-compromise
by mukul975detecting-email-account-compromise helps incident responders and SOC analysts investigate Microsoft 365 and Google Workspace mailbox takeover by checking suspicious sign-ins, inbox rule abuse, external forwarding, OAuth grants, and Graph/audit-log activity. Use it as a practical detecting-email-account-compromise guide for fast triage.
This skill scores 78/100 because it has a credible, real incident-response workflow for detecting email account compromise and enough supporting artifacts for users to judge fit. Directory users should see it as a solid install candidate for Microsoft 365/Google Workspace compromise investigations, with some caveats around workflow completeness and onboarding clarity.
- SKILL.md clearly states the trigger and use case: detect compromised O365 and Google Workspace accounts by analyzing inbox rules, suspicious sign-ins, forwarding rules, and API access patterns.
- The repository includes practical support material: an API reference for Microsoft Graph endpoints and a Python script that analyzes inbox rules, sign-in logs, and OAuth grants.
- Frontmatter is valid and rich in operational tags and MITRE mapping, which helps agents and users understand scope quickly.
- No install command or quick-start guidance is provided, so users must infer setup and execution steps from the script and reference docs.
- The workflow appears Microsoft-Graph-centric despite mentioning Google Workspace in the description, which may limit clarity for non-Microsoft environments.
Overview of detecting-email-account-compromise skill
The detecting-email-account-compromise skill helps you investigate mailbox takeover in Microsoft 365 and Google Workspace by looking for the signals that matter most: suspicious sign-ins, inbox rule abuse, external forwarding, and unusual API or OAuth access. It is best for incident responders, SOC analysts, and email admins who need a fast, evidence-driven way to decide whether an account is merely noisy or truly compromised.
What this detecting-email-account-compromise skill does
This detecting-email-account-compromise skill focuses on triage and detection, not generic email security advice. It aligns with incident response workflows where you need to connect mailbox behavior to identity events and persistence mechanisms, especially for BEC-style intrusions.
Best-fit use cases
Use it when you have alerts about strange forwarding rules, deleted messages, unusual login locations, or suspicious Graph activity. It is also useful when you need a repeatable detecting-email-account-compromise guide for validating whether a mailbox has been used for exfiltration or lateral phishing.
What makes it useful in IR
The practical value is correlation: inbox rule changes, sign-in anomalies, and OAuth grants often tell a clearer story together than in isolation. For detecting-email-account-compromise for Incident Response, that means faster scoping, better evidence collection, and fewer false positives from one-off login noise.
How to Use detecting-email-account-compromise skill
Install the skill in your workspace
Use the repository install flow for this detecting-email-account-compromise install:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-email-account-compromise
After install, confirm the skill folder is available under skills/detecting-email-account-compromise and that your agent can read both the skill file and its support material.
Read these files first
Start with SKILL.md to understand the intended workflow, then open references/api-reference.md for the Microsoft Graph endpoints and indicator table. Read scripts/agent.py next if you want the detection logic, rule patterns, and input expectations; it shows what the skill is actually looking for.
Turn a vague request into a usable prompt
The skill works best when you give it a concrete incident frame, not just “check this mailbox.” Include platform, time window, suspected user, and the artifact types you already have. A strong detecting-email-account-compromise usage prompt looks like:
“Investigate suspected account takeover for user jane@company.com in Microsoft 365 over the last 7 days. Focus on inbox rules, external forwarding, impossible-travel sign-ins, and OAuth consent grants. Summarize compromise likelihood, key evidence, and next actions for containment.”
Input quality that changes output
Provide the exact tenant type, mailbox owner, time range, and any known bad indicators such as external domains, suspicious user agents, or a specific message rule name. If you already collected Graph or audit-log exports, include them; the skill can then prioritize correlation instead of guessing what to query first.
detecting-email-account-compromise skill FAQ
Is this only for Microsoft 365?
No. The repository is strongest for Microsoft 365, but the detecting-email-account-compromise skill also covers Google Workspace concepts at a workflow level. If your environment is mixed, use it to structure the investigation and then adapt the data source details to your platform.
When should I not use this skill?
Do not use it as a full email security program or as a generic phishing response prompt. If you only need a one-line opinion about a suspicious message, this skill is more detailed than necessary; it is designed for account compromise investigation and evidence-based triage.
Does it replace a manual hunt query?
No. It helps you decide what to check and how to interpret it, but you still need tenant access, log data, and validation. The detecting-email-account-compromise guide is most valuable when you already have identity and audit logs to inspect or export.
Is it suitable for beginners?
Yes, if the user is willing to provide context. Beginners get the best results when they ask for a checklist-style investigation plan and share the mailbox, date range, and suspected behavior rather than expecting the skill to infer everything automatically.
How to Improve detecting-email-account-compromise skill
Give the skill the artifacts it can reason over
The fastest way to improve results is to provide mailbox rules, sign-in events, OAuth grants, and relevant timestamps in one prompt. The more complete the incident bundle, the less the model has to invent around gaps, which matters a lot for detecting-email-account-compromise usage.
Be explicit about what “compromise” means in your case
Tell the skill whether you care most about exfiltration, persistence, BEC risk, or unauthorized access. That changes the emphasis of the analysis: forwarding rules matter more for exfiltration, while risky sign-ins and token grants matter more for takeover and persistence.
Watch for common failure modes
The most common misses are overly broad time windows, missing tenant context, and logs pasted without user identity. Another failure mode is asking for “all suspicious activity” without saying what signal should count as suspicious; the output gets better when you name the exact indicators you want checked.
Iterate with a tighter second pass
If the first result is too broad, refine it with the evidence that was already found. For example: “Re-review only the forwarding rule and the two sign-ins from new countries, and explain which one is most consistent with compromise.” That kind of follow-up usually produces a better detecting-email-account-compromise skill outcome than starting over from scratch.