In this drop, we transition from hunter to responder. When investigating a Business Email Compromise (BEC) within a massive Microsoft 365 tenant, the standard Azure Portal GUI is simply too slow and abstracted. We need raw data and automation. Using the Gemini CLI as an autonomous, LLM-backed copilot, we'll navigate the complex identity surface of Microsoft Entra ID via direct REST API calls to dissect an attack in record time.
During an active incident, your environment dictates your speed. Deploying the Gemini CLI on a hardened Kali node provides a frictionless interface where your natural language commands are translated directly into operational shell scripts or Azure CLI execution strings. It's like having a senior Cloud Engineer paired with you, constantly suggesting the right flags.
The immediate priority in any BEC is mapping the blast radius. We must aggressively audit the tenant's surface to identify if the adversary has escalated privileges by modifying role assignments or inviting rogue Guest users. Waiting for the portal to load these lists is unacceptable; we use the Azure CLI for immediate, JSON-formatted output.
The Azure CLI has limits; the Microsoft Graph API does not. Direct API access via `az rest` allows us to query deep configuration states, such as modified Conditional Access policies. The challenge is remembering the exact endpoints and OData filter syntax. Here, Gemini excels—you tell it what you need ("Get me the CA policies modified today"), and it constructs the precise `az rest` invocation.
Finally, we pivot from identity modifications to the initial ingress vector: the phishing email. Using KQL in Microsoft Defender, we trace the compromised user's timeline backwards to find the specific message network ID that delivered the malicious payload, establishing the root cause.