# Playbook: Business Email Compromise (BEC) in the Supply Chain (TPRM)

This notebook is a **fillable incident response runbook** for handling **Business Email Compromise (BEC)** events involving **third parties (vendors/suppliers/partners)** under **Third-Party Risk Management (TPRM)**.

Use it as a guided flow during an incident, and keep the completed notebook as part of the incident record.


## How to use
- Work top-to-bottom during the incident.
- Replace placeholders (✅ / ⛔ / TBD) with real values.
- Paste evidence links, email headers, ticket IDs, and artifacts.
- If you have automation, use the code cells as stubs.


## Table of contents
1. Scope & context
2. Roles & RACI
3. Detection & triage
4. Severity classification
5. Containment (0–24h)
6. Investigation & analysis
7. Eradication
8. Recovery
9. Communications
10. Post-incident (TPRM updates)
11. Metrics
12. Appendices / templates


## 1) Scope & Context

**Incident ID:** `TBD`  
**Date/Time opened (UTC):** `TBD`  
**Primary affected party:** `Internal / Vendor / Both`  
**Impacted vendor name:** `TBD`  
**Vendor service/category:** `TBD`  
**Business process impacted:** `AP / Procurement / Contracting / Other`  
**Initial reporter:** `TBD`  
**Ticket/Case links:** `TBD`  


### 1.1 Incident hypothesis
Check all that apply:
- [ ] Vendor email account takeover (ATO) leading to fraudulent invoice/payment diversion
- [ ] Vendor impersonation via look-alike domain
- [ ] Reply-chain hijacking (thread takeover)
- [ ] OAuth token / malicious consent-based access
- [ ] Internal executive impersonation routed through vendor thread
- [ ] Other: `TBD`


## 2) Roles & RACI

Fill in names/contacts:

| Function | Primary | Backup | Contact |
|---|---|---|---|
| SOC / IR Lead | `TBD` | `TBD` | `TBD` |
| TPRM / Vendor Mgmt | `TBD` | `TBD` | `TBD` |
| Finance / AP | `TBD` | `TBD` | `TBD` |
| Procurement | `TBD` | `TBD` | `TBD` |
| Legal / Compliance | `TBD` | `TBD` | `TBD` |
| Executive Sponsor | `TBD` | `TBD` | `TBD` |


## 3) Detection & Triage

### 3.1 Detection source
- [ ] Email security alert (phishing/BEC rules)
- [ ] User report
- [ ] Finance/AP alert (payment change request)
- [ ] SIEM correlation
- [ ] Vendor notification of compromise
- [ ] Other: `TBD`


### 3.2 Quick triage checklist (15–30 minutes)
- [ ] Identify the suspected sender and recipient(s)
- [ ] Preserve the suspicious email (do not forward as attachment unless approved)
- [ ] Capture message IDs, headers, and URLs
- [ ] Determine whether payment instructions are involved
- [ ] Determine if any funds were transferred
- [ ] Identify whether this appears to be vendor compromise or impersonation


In [None]:
# OPTIONAL: paste parsed email headers or key fields here
suspicious_email = {
    "from": "TBD",
    "to": ["TBD"],
    "cc": ["TBD"],
    "subject": "TBD",
    "message_id": "TBD",
    "reply_to": "TBD",
    "return_path": "TBD",
    "date": "TBD",
    "auth_results": "TBD (SPF/DKIM/DMARC)"
}
suspicious_email


## 4) Severity Classification

Select severity:

- **Critical:** Funds transferred OR confirmed vendor compromise with active fraud attempt
- **High:** Fraud attempt blocked; active impersonation; sensitive data exposure suspected
- **Medium:** Suspicious email; no transaction; limited exposure
- **Low:** Look-alike domain detected; no engagement

**Chosen severity:** `TBD`  
**Rationale:** `TBD`


## 5) Containment (First 0–24 Hours)

### 5.1 Internal containment actions
- [ ] Quarantine related messages across mailboxes
- [ ] Block sender domains/IPs/URLs in email security controls
- [ ] Disable or reset impacted internal accounts
- [ ] Revoke suspicious OAuth app grants / tokens
- [ ] Add indicators to SIEM watchlists
- [ ] Place **immediate payment hold** on vendor payments & changes

**Notes / actions taken:** `TBD`


### 5.2 Third-party containment actions (TPRM-led with IR support)
- [ ] Notify vendor security contact via **out-of-band** method
- [ ] Request vendor to:
  - [ ] Lock/reset affected mailbox accounts
  - [ ] Enforce MFA
  - [ ] Review mailbox rules/forwards/delegations
  - [ ] Review sign-in logs (geo, IP, impossible travel)
  - [ ] Provide incident statement + scope
- [ ] Confirm vendor payment instructions via trusted channel

**Vendor contacted (name/when/how):** `TBD`  
**Vendor case/reference #:** `TBD`


## 6) Investigation & Analysis

### 6.1 Key questions
- Was the vendor account compromised or was this impersonation?
- Did the attacker alter payment instructions (bank, routing, SWIFT, IBAN)?
- Was any sensitive data exposed (contracts, PII, pricing, credentials)?
- Duration of exposure / dwell time?
- Are other vendors affected (campaign pattern)?

**Preliminary answers:** `TBD`


### 6.2 Evidence to collect (attach links/paths)
- Email raw source / headers
- Authentication results (SPF/DKIM/DMARC)
- Mailbox audit logs (internal + vendor if provided)
- Mailbox rules/forwarding settings
- OAuth app consent logs
- Financial transaction records
- Vendor incident report
- Screenshots of payment change requests

**Evidence index:**  
1. `TBD`  
2. `TBD`


In [None]:
# OPTIONAL: IOC list stub
iocs = {
    "domains": ["TBD"],
    "sender_addresses": ["TBD"],
    "ips": ["TBD"],
    "urls": ["TBD"],
    "file_hashes": ["TBD"],
}
iocs


## 7) Eradication

- [ ] Reset credentials (internal; confirm vendor did same)
- [ ] Enforce MFA for affected users and vendor accounts (where contractually possible)
- [ ] Remove malicious mailbox rules/forwards/delegations
- [ ] Revoke OAuth tokens and remove suspicious apps
- [ ] Update detection rules/signatures and blocklists
- [ ] Hunt for related activity across organization and other vendors

**Eradication notes:** `TBD`


## 8) Recovery

### 8.1 Financial recovery actions
- [ ] Contact bank fraud team immediately
- [ ] Attempt recall / clawback / SWIFT recall (as applicable)
- [ ] Notify cyber insurance (if applicable)
- [ ] File law enforcement report (if required by policy)

**Outcome:** `TBD`


### 8.2 Business recovery actions
- [ ] Resume payments only after **out-of-band verification**
- [ ] Confirm vendor security posture restored (written confirmation)
- [ ] Monitor impacted mailboxes/threads for 30–60 days
- [ ] Confirm no further payment changes pending

**Recovery complete date:** `TBD`


## 9) Communications Plan

### 9.1 Internal communications
- [ ] Notify Finance/AP leadership
- [ ] Notify Procurement / Vendor Mgmt
- [ ] Executive briefing (facts only)
- [ ] Legal/Compliance involvement as needed

**Internal comms log:**  
- `TBD`


### 9.2 External communications
- [ ] Vendor communications (secure channel + out-of-band verification)
- [ ] Regulators (if required)
- [ ] Customers (if confirmed data exposure)

**External comms log:**  
- `TBD`


## 10) Post-Incident Activities (TPRM Enhancements)

### 10.1 Vendor risk updates
- [ ] Re-score vendor risk rating
- [ ] Update vendor security requirements (MFA, logging, incident notification SLA)
- [ ] Confirm vendor root cause + corrective actions
- [ ] Determine if contract updates are required

**TPRM decision & rationale:** `TBD`


### 10.2 Control improvements (internal)
- [ ] Payment change verification: mandatory call-back (known number) / dual approval
- [ ] DMARC/DKIM/SPF enforcement improvements
- [ ] Vendor domain monitoring / look-alike detection
- [ ] Targeted user training (Finance/Procurement)
- [ ] Update playbook and run tabletop exercise

**Actions & owners:** `TBD`


## 11) Metrics & KPIs

Fill values when known:

- Time to detect (TTD): `TBD`
- Time to contain (TTC): `TBD`
- Financial loss incurred: `TBD`
- Financial loss avoided: `TBD`
- Vendor response time vs SLA: `TBD`
- Repeat vendor incidents in 12 months: `TBD`


## 12) Appendices / Templates

### A) Vendor incident notification template
**Subject:** URGENT: Suspected Business Email Compromise impacting our communications

**Message:**
- We detected suspected fraudulent communications appearing to originate from your organization.
- Please confirm whether your email environment is compromised and initiate incident response.
- Requested actions:
  1) Lock/reset impacted accounts and enforce MFA  
  2) Review mailbox rules/forwarding and OAuth app consents  
  3) Provide sign-in log review (time range: `TBD`)  
  4) Confirm official payment instructions via out-of-band method  
  5) Provide incident reference # and status updates

**Our reference:** `TBD`  
**Preferred secure channel:** `TBD`


### B) Payment change verification checklist (call-back control)
- [ ] Use known phone number from master data (not from email)
- [ ] Verify requester identity (name, role, callback, ticket #)
- [ ] Verify bank details (IBAN/SWIFT/routing/account) against prior records
- [ ] Require dual approval for changes
- [ ] Confirm change in writing via verified vendor portal (if available)
- [ ] Document all verification steps


### C) Email header analysis notes
Paste key header findings:
- SPF: `pass/fail`
- DKIM: `pass/fail`
- DMARC: `pass/fail`
- Return-Path anomalies: `TBD`
- Reply-To mismatch: `TBD`
- Received chain suspicious hops: `TBD`
