Envyously
Investigation · Chain of custody Pennsylvania

Prospect Intelligence · Investigation · Chain of custody

The investigation your MSSP won't run.

Envyously is a small platform, run out of Pennsylvania, that finishes the read-only mailbox and identity investigations most monitoring stacks only signal. Every action sealed to a case folder, with operator UPN, timestamp, and a signed chain — court-defensible if it ever needs to be.

§ 01 / Cases

The investigations we finish for other people.

Case A · Mailbox

An auto-forward on a privileged mailbox nobody set up.

Existing MSSP was watching a Splunk dashboard. The rule had been quietly created six weeks earlier, forwarding financial-office traffic to a look-alike inbox. We surfaced it in a 48-hour read-only sweep of the top-100 privileged users.

Outcome · Rule removed · Rotation on 3 accounts · Reported to owner.

Case B · Corpus

A family-scope phish that turned out to be a Rilide variant.

One relative clicked a Node.js dropper. We reconstructed the session chain from browser artifacts, matched signatures against our IOC corpus, and confirmed the family across three other endpoints in the household. Nothing left the environment.

Outcome · Signature pack shipped to peers · No lateral movement.

Case C · Identity

A federated identity plane after a merger nobody had time to reconcile.

Five legacy .edu brands on one InCommon cert, DMARC set to p=none, DKIM unpublished. We wrote up the spoofability finding, mapped it to their AD FS topology, and handed the report to an InfoSec Director who had been holding the meeting for two years.

Outcome · Report used to unlock DMARC enforcement roadmap.

§ 02 / Method

Evidence discipline you can hand a lawyer.

Every action against a customer environment is a record. Every record is signed. If it's not sealed, it didn't happen.

The platform runs on Microsoft's own runtime — Entra RBAC for authorization, native audit logs, US-persons data path. We don't ask you to trust a vendor's word for what happened. We ask you to trust your own tenant's audit log, because that is where our activity lands.

When we hand back a case, you get the report and the folder. The folder is the artifact — hashed, timestamped, and signed at seal. Nobody, including us, can quietly change it later.

  • § i
    Operator UPN on every action. Who did it, in your own audit log, not ours.
  • § ii
    Signed chain of custody at seal. Hash manifest + RFC 3161 timestamp. Verify without us.
  • § iii
    Read-only by default. Every write requires an explicit, logged approval.
  • § iv
    US persons, US data path. No offshore analyst pool. Named operator, one time zone.
  • § v
    Case folder is yours. You keep the folder whether we work together again or not.
§ 03 / Entry

Two ways to see what we would find.

Complimentary · Real work · About a week

Free mailbox investigation.

We run a read-only audit against your top-100 privileged users, a sign-in anomaly sweep across the last 30 days, and any findings we surface come back as a full case folder with signed chain of custody.

  • Auto-forward and inbox-rule audit
  • Entra + Duo (or Okta) correlation
  • Read-only unless you approve a specific action
  • Yours to keep whether we work together or not
Request the investigation

Free · 45 seconds · No account

Public pre-engagement scan.

Paste a domain, get a redacted read of your perimeter, mail authentication, and identity plane. Same engine we run before we ever quote work. If we find something on the free scan, we send you the brief — no follow-up sequence.

  • SPF, DMARC, DKIM enforcement view
  • Perimeter TLS and header hardening
  • M365 identity fingerprint (federated or cloud)
  • Composite score with plain-language notes
Run the free scan