$50B
Global BEC losses reported 2013 to 2024
72h
Typical SWIFT recall window for wire fraud
90d
Default UAL retention for E3 tenants
94%
BEC cases involve compromised email rules

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Business email compromise remains the single most financially damaging incident category most organizations will encounter, with FBI IC3 attributing more than $50 billion in cumulative losses since 2013. The mechanics are simple and well-documented: attacker gains access to a mailbox (typically via AiTM phishing kit or token theft), establishes persistence through OAuth grants and inbox rules, monitors for in-flight financial transactions, and either hijacks the conversation to redirect a wire or impersonates the user to an external counterparty.

The investigation is time-pressured for two reasons. First, the SWIFT recall window for fraudulent wire transfers is typically 24 to 72 hours; after that, the funds are gone. Second, the Microsoft 365 Unified Audit Log retention for E3 licenses is 90 days by default and 180 days for E5, which means a 60 day dwell time leaves only a narrow window to reconstruct the attacker's activity.

This playbook assumes Microsoft 365 because that is where most BEC cases land. The equivalent steps in Google Workspace use Admin Console audit and Vault eDiscovery; the structure of the investigation is the same.

Initial Triage: The Signals That Confirm BEC

Most BEC cases reach the security team through one of four channels: a user reports a suspicious password reset prompt, a finance team member notices a vendor reporting non-receipt of payment, a counterparty's security team notifies you that they received a phishing email from your domain, or an EDR/email security alert fires on anomalous OAuth consent. Within 30 minutes of notification, validate three things. First, check the mailbox for inbox rules using Get-InboxRule -Mailbox user@domain.com | Where-Object {$_.Enabled -eq $true}; attackers typically create rules that move mail from finance, banking, or specific vendor domains to RSS Subscriptions, Conversation History, or a hidden folder, and mark as read. Second, check for OAuth app consent in Entra ID via the Enterprise Applications blade, filtered to the user as actor; look for unfamiliar apps with Mail.Read, Mail.ReadWrite, or Mail.Send permissions, especially those granted in the last 90 days. Third, check forwarding: Get-Mailbox user@domain.com | Select ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward. Any external forwarding address (especially personal Gmail, ProtonMail, or a lookalike domain) is high confidence BEC. If any of the three are positive, escalate to incident.

Microsoft 365 Forensics: UAL, MailItemsAccessed, and MessageSent

Open the Microsoft Purview compliance portal and run an audit search for the compromised UPN over the maximum retention window. The high-value record types are AzureActiveDirectoryStsLogon (sign-in events including IP and user agent), ExchangeItem (mailbox operations including New-InboxRule, Set-InboxRule, Set-Mailbox), MailItemsAccessed (which mail was read; requires E5 or the Microsoft 365 Audit add-on), MessageSent (which mail was sent from the account), and consent grants under AzureActiveDirectoryAccountLogon. Export the results to CSV and pivot on ClientIP to identify attacker infrastructure; legitimate users typically sign in from a small set of IPs while attackers will appear from VPS providers, residential proxies, or anonymizers. The Connect-ExchangeOnline PowerShell module is required for some queries that the GUI does not expose; use Search-UnifiedAuditLog -StartDate -EndDate -UserIds -RecordType ExchangeItem -ResultSize 5000 in scripted batches. MailItemsAccessed reports message bind operations and is the primary evidence for what the attacker actually read; correlate the InternetMessageId values in the audit record back to the message subject and recipient list to scope sensitive content exposure.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Scoping the Blast Radius

Three blast radius questions need answers within the first 4 hours. First: who received email from the compromised account during the dwell period? Run Search-UnifiedAuditLog -RecordType ExchangeItem with Operations = Send and harvest the recipient list. Cross-reference with your DLP and email security gateway logs for the same window to catch outbound emails that bypassed audit log capture. Second: who clicked links in mail sent from the account? If you have Microsoft Defender for Office 365, query UrlClickEvents for the compromised sender. Otherwise, query your secure web gateway or DNS logs for traffic from internal IPs to URLs you can extract from the sent messages. Third: what was the attacker reading? Pivot MailItemsAccessed by InternetMessageId, then look up each message in the user's mailbox (still preserved via litigation hold or eDiscovery search) to determine sensitivity. Build a list of categories: wire instructions in flight, contracts under negotiation, personally identifiable information in attachments, intellectual property. This list drives the regulatory and counterparty notification decisions later.

Financial Fraud Coordination

If the BEC involved a fraudulent wire or ACH, the clock is your enemy. Within the first 2 hours, contact your finance team's banking liaison and request a SWIFT recall (for international wires) or a Hold/Reversal for domestic ACH. Provide the originating account, beneficiary account, amount, and wire reference number; the bank's fraud desk will initiate the recall request to the receiving bank. Recall success rates are highest within 24 hours, drop sharply at 48 hours, and approach zero past 72 hours. In parallel, file an IC3 complaint at ic3.gov with the same details; the FBI's Recovery Asset Team coordinates with banks on transactions over $50,000 and has measurably higher recall rates than bank-only requests. Notify any counterparty whose payment was redirected; they may also need to file with their bank. If the redirected funds came from a customer, your contractual and reputational obligations kick in; involve legal counsel before any external communication. Document every call, time, and recipient in a contemporaneous timeline; you will need it for insurance claims and potential litigation.

Tenant Hardening Post-Incident

Containment and eradication are tenant-wide, not just on the compromised user. For the affected mailbox: revoke all sessions with Revoke-AzureADUserAllRefreshToken (or the Graph equivalent), reset the password and require change at next sign-on, remove all OAuth grants for the user (Get-AzureADUserOAuth2PermissionGrant), delete attacker-created inbox rules, remove external forwarding, re-register MFA from scratch (delete and re-enroll, do not just add a factor). For the tenant: review and disable any new Exchange transport rules, mail flow connectors, or accepted domains created during the dwell period (these are favorite persistence mechanisms; attackers add a connector to silently exfiltrate mail). Audit all OAuth applications with high-privilege Graph permissions and revoke any granted in the last 90 days that you cannot positively identify. Enable Continuous Access Evaluation in Conditional Access if not already on; this shortens the window between session revocation and token invalidation from 1 hour to roughly 10 minutes. Force a password reset and MFA re-registration for any user who shared a session, device, or workflow with the compromised account. Finally, deploy or tune Conditional Access policies to block legacy auth, require phishing-resistant MFA for privileged roles, and block sign-in from high-risk countries if your workforce footprint allows.

Regulatory Notification and Disclosure

BEC incidents frequently trigger notification obligations even when no funds were lost, because the attacker had access to mailboxes containing personal information. In the United States, all 50 states plus DC have breach notification laws; the trigger is generally unauthorized access to unencrypted personal information (name plus SSN, financial account, driver's license, medical info), and the notification window ranges from 30 to 90 days. For publicly traded companies, the SEC's 2023 cybersecurity disclosure rule requires an 8-K filing within four business days of determining a cybersecurity incident is material; BEC with confirmed wire fraud above the materiality threshold (often $1M or above, but check with counsel and investor relations) usually qualifies. For healthcare entities, HIPAA breach notification triggers if PHI was in the mailbox and the attacker accessed it; the 60 day notification clock to affected individuals plus HHS reporting applies. For EU data, GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach involving personal data. Build the notification timeline into the incident playbook so legal, compliance, and PR are engaged on day one, not day fifteen.

The bottom line

BEC is a race against three clocks: the SWIFT recall window, the audit log retention horizon, and the regulatory notification timer. Win the first by calling your bank within 2 hours of confirmation. Win the second by enabling MailItemsAccessed and extending UAL retention to at least 180 days before you need it. Win the third by making legal and compliance permanent members of the BEC playbook, not external escalations.

Most BEC cases were preventable with phishing-resistant MFA and disabled legacy auth. Every post-incident review should generate a hardening backlog item; the second BEC against the same tenant is an unforgivable repeat.

Frequently asked questions

What if MailItemsAccessed is not enabled in our tenant?

Without MailItemsAccessed (which requires E5 or the Microsoft 365 Audit add-on), you cannot determine which specific messages the attacker read. You can still scope by message volume and folder activity through other audit events, but the regulatory analysis becomes harder because you may have to treat all mail received during the dwell window as potentially accessed. Enable MailItemsAccessed across the tenant now; the cost of the E5 audit add-on is trivial compared to the cost of a forensics gap during BEC. Microsoft enables MailItemsAccessed by default for E5 tenants but throttles to a maximum of 1000 events per mailbox per 24 hours, so very high-volume mailboxes may have gaps.

How do we tell whether the attacker actually sent fraudulent mail or just read the mailbox?

Query MessageSent or Send operations in the audit log for the affected window. Cross-reference SentItems folder content; attackers often delete sent items after sending to hide the activity, but the audit log captures the send event even if the user deletes the message. Also check the message trace in Exchange admin center for outbound mail from the user; the trace covers a 90 day window and includes recipients, subject, and delivery status. If you see sends to external recipients during attacker-controlled hours, treat as confirmed outbound fraud and notify recipients.

Should we preserve the mailbox before remediation?

Yes, place the mailbox on litigation hold or eDiscovery hold before resetting credentials or removing inbox rules. The hold preserves the mailbox content even if the attacker (or a remediation script) deletes items. In Microsoft Purview, run a content search scoped to the user's mailbox and export to a PST; store the export in a forensics evidence repository with chain-of-custody documentation. Do this before notifying the user, because users sometimes panic-delete suspicious items and contaminate the evidence.

What is the difference between BEC and account takeover (ATO)?

Account takeover is the act of gaining access to the account; BEC is the financial fraud that ATO enables when applied to email. Not every ATO becomes BEC (the attacker might be after IP, not money) and not every BEC starts with ATO (some BEC variants use lookalike domain impersonation without ever compromising the real mailbox). The investigation overlaps significantly but the regulatory analysis differs: ATO without confirmed data exfiltration may not trigger breach notification in some jurisdictions, while ATO with confirmed mail access usually does.

How long should we keep the BEC investigation artifacts?

Minimum 7 years for tax and financial fraud cases, longer if litigation is reasonably anticipated. Most cyber insurance policies require evidence preservation for the duration of any potential subrogation claim, which can be 2 to 5 years. Store the PST exports, audit log CSVs, sign-in log exports, and timeline in a write-once or version-controlled repository with documented access controls. The first time you need this for a subpoena or insurance dispute, you will be glad you over-preserved.

Sources & references

  1. FBI IC3 Business Email Compromise Report
  2. Microsoft Purview Audit Search Documentation
  3. CISA BEC Incident Response Guide
  4. SEC Cybersecurity Disclosure Rules

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.