Home
Blog
Investigations
February 20, 2025
12
min read

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.

email investigations
identity investigations
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

Introduction

Email investigations intersect with virtually every security incident response. Whether it's an HR-led insider threat case or a potential compromise, email activity provides crucial context about what happened before, during, and after an event.

Most playbooks focus narrowly on whether a user clicked a malicious link, then jump straight to endpoint analysis. This misses critical signals in the user behavior. The noteworthy questions are: What did the user do in their email after the click? Did they start sharing sensitive files? Did they initiate unusual communications with accounts payable? How did their behaviors change in SaaS applications or other connected systems?  

These post-compromise behaviors are nuanced. They often reveal the true scope of an incident, and they are easily overlooked by oversubscribed teams or static playbooks. More interesting patterns can be uncovered by asking questions like: Who else received these suspicious emails? What behavior changes did they demonstrate after receiving these emails or clicking the suspicious links?  

These patterns can take hours to run down, so a complex email investigation can consume the majority of an analyst’s day.  

The hard truth: Emails are full user identities

Email is one of the top threat vectors for a reason. It is used by every knowledge worker to interact with the outside world. In today’s integrated identity structure, email credentials represent more than just access to communications – they are full user identities. When compromised, attackers inherit all the permissions and influence of that account. So email compromise effectively becomes account takeover.  

Take this real example: Examining the permissions of a user like Shannon at Acme Corp reveals extensive administrative access across multiple critical systems. Attackers can easily identify these high-value targets (admins with extensive access) through LinkedIn, derive their email addresses, and launch targeted social engineering campaigns. To cause devastating impact, attackers don't need to "spray and pray" across 50 users when they can focus on 2-3 privileged accounts.  

Gaining access Shannon’s email gives attackers access to the keys of the kingdom.  

Breaking down investigation barriers for email

Traditional email investigations face three key challenges:

  1. Speed vs. Accuracy Trade-offs: Thoroughly investigating email patterns while simultaneously checking other systems for signs of compromise requires significant time. An analyst needs to examine:
  1. Email subject line patterns
  1. Communications with external addresses
  1. Whether other internal users are participating in email dialogues with suspicious external addresses
  1. File sharing behaviors and patterns.  

These manual correlations can consume the majority of an analyst's day.

  1. Access Complexity: Email investigations require pivoting across multiple systems. For instance, when investigating potential business email compromise (BEC), analysts need to quickly determine:
  1. What files were shared externally (via Microsoft Sharepoint, OneDrive or similar)
  1. Whether suspicious email forwarding rules were created (via Microsoft Exchange or similar)
  1. If the compromised identity has accessed sensitive systems through SSO providers like Okta or Entra (the two most prominent identity providers we see in customer environments)
  1. What SaaS applications the user can access via SSO (like GitHub or similar)
  1. Whether there's unusual activity in Microsoft Office365 or other cloud platforms
  1. Blast Radius Assessment: When an email account is compromised, security teams must rapidly determine the scope of potential damage. This means:
  1. Mapping access across multiple identity providers (both Azure AD and Okta)
  1. Understanding SaaS application access through SSO
  1. Identifying potential data exfiltration through file sharing or email attachments
  1. Assessing the user's permissions and group memberships

Modern email investigation requirements

Effective email investigations need to:

  • Move beyond binary “received/didn’t receive email” or "clicked/didn't click malicious link" analysis to examine post-compromise behaviors
  • Automatically correlate email activities with identity systems, file sharing, and SaaS access
  • Provide guided investigation paths to help analysts explore relevant angles without going down rabbit holes
  • Enable rapid assessment of potential blast radius when credentials are compromised
  • Support complex use cases like BEC attacks, spear phishing, and insider threats

How Command Zero improves email investigations

Command Zero transforms email investigations through several key innovations:

  1. Unified Data Analysis: The platform abstracts data collection and interpretation across multiple sources, allowing investigators to pivot seamlessly between email, identity systems, and cloud platforms. This integration gives analysts immediate visibility into the full scope of potential compromise.
Analysts can review data across all connected systems in the Command Zero interface.

  1. AI-Guided Investigation: The platform's AI capabilities provide contextual guidance through:
  1. Recommended questions based on current findings
  1. Automated investigation paths based on responses.  
  1. Guard rails that prevent "rabbit holing" into unproductive paths
  1. Context-aware follow-up questions that guide analysts toward promising leads
LLMs suggest relevant follow-up questions, generate new branches to enhance analysts' flows.

  1. Automated Timeline Analysis: The system analyzes events across all connected platforms and builds a comprehensive timeline. In roughly 95% of cases, investigations reveal no true security concern, but when they do, the system helps analysts rapidly understand the blast radius and pivot from "risk" to "active threat" assessment.
Command Zero generates timelines based on noteworthy questions and answers.

  1. Narrative Building: Command Zero helps investigators construct the incident narrative by:
  1. Pulling out key facts and correlations that might be missed
  1. Identifying connections between seemingly unrelated events
  1. Providing a structured approach to documentation
  1. Maintaining investigative guardrails to prevent scope creep
  1. Making sure that no pattern gets overlooked
Command Zero builds full reports with verdicts based on the investigation flow, the goal of the analysis and historical context of the subject.

This approach differs fundamentally from traditional solutions by providing what amounts to an expert "riding shotgun" with the analyst. It decompresses the psychological burden on investigators by removing knowledge and access limitations, allowing them to conduct thorough investigations in minutes rather than hours.

Conclusion

Email remains the foundation of most security investigations, whether they involve business email compromise, phishing, or insider threats. Our experience shows that if an investigation doesn't touch email, it probably should - email behavior provides crucial context for almost every security incident.

Command Zero's approach transforms email investigations from a time-consuming manual process into a rapid, comprehensive analysis that any investigator can conduct effectively. By automating data correlation and providing expert guidance, we enable security teams to understand the true scope of incidents and respond decisively.

The reality of modern security is that email investigations can't be treated as a checkbox exercise. They require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This is how we turn the challenge of email investigations into an opportunity for more effective security response.

To see how Command Zero can help transform email investigations, please book a demo with our team.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.
Eric Hulse
Dec 3, 2025
6
min read
Investigations
Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.
Eric Hulse
Nov 18, 2025
7
min read
Investigations
Highlight

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.
Alfred Huger
Jun 11, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All