The mailbox audit examines six categories of configuration that BEC attackers exploit.
External forwarding rules
Mail being silently copied to an attacker's address. The most common BEC backdoor — survives password resets.
Inbox rules that auto-delete or hide
Rules that automatically move replies to deleted items or mark them as read, so the legitimate user does not see attacker correspondence. Classic invoice-redirect setup.
App passwords and OAuth-granted apps
App passwords bypass MFA. Third-party OAuth apps the user granted may have ongoing read or send access. We list every one.
Delegated permissions
Who else can read your mailbox or send mail as you. Common legitimate setups (executive assistant) and common attack patterns (attacker added themselves as delegate) look similar — we surface all of them for human review.
SPF, DKIM, DMARC posture
Public DNS configuration for your sending domain. Misconfigured DMARC means attackers can spoof your domain to anyone.
Impersonation and lookalike domains
Newly registered domains that visually resemble yours (zero replaced with O, letter swaps, additional characters). Attackers use these to send fake invoices that appear to come from you.