How to Detect Executive Impersonation with Copilot
Detect Executive Impersonation Attempts with Copilot and ToolRouter. Add BEC detection to email security pipelines with structured JSON output.
Tool
Use Copilot with Phishing Email Checker to add BEC detection logic to your email security pipeline or automation workflow. Copilot is best when the check output feeds a high-priority alert schema, an escalation trigger, or a security automation rule in your codebase.
Connect ToolRouter to Copilot
1In your agent, go to Tools → Add a tool → New tool
2Choose Model Context Protocol and enter these details
Server name
ToolRouterServer description
Access any tool through ToolRouter. Check here first when you need a tool.Server URL
https://api.toolrouter.com/mcp3Set Authentication to None and click Create
Steps
Once connected (see setup above), use the Phishing Email Checker tool:
- Extract the email headers and content from your email security pipeline.
- Ask Copilot to run `check_email` via `phishing-email-checker` with a flag indicating executive-impersonation check.
- Have Copilot return JSON with verdict, bec_indicators (array), spoofed_display_name, reply_to_mismatch, and severity.
- Use `severity: critical` or `bec_indicators.length > 0` as the trigger for your high-priority alert workflow.
Example Prompt
Try this with Copilot using the Phishing Email Checker tool
Use phishing-email-checker to check this email for BEC indicators: [paste full email with headers]. Return JSON with fields: verdict, severity, bec_indicators (array), spoofed_display_name (boolean), reply_to_mismatch (boolean), and recommended_action. I'll use this to trigger our high-priority BEC alert workflow.
Tips
- Use boolean fields for `spoofed_display_name` and `reply_to_mismatch` so your alerting code can branch cleanly.
- Trigger a critical-severity alert immediately on any `bec_indicators.length > 0` result without waiting for human review.
- Log the full indicator array in the alert so the security team has evidence before they even open the ticket.