Business Email Compromise (BEC) Investigation Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access

---

Overview & Scope

This runbook provides standardised procedures for investigating Business Email Compromise (BEC) attacks across the Microsoft 365 environment. BEC attacks are sophisticated social engineering schemes that exploit email to defraud organisations, often resulting in significant financial losses and data breaches.

What is Business Email Compromise?

BEC is a type of cybercrime where attackers use email fraud to target organisations. Unlike traditional phishing, BEC attacks are highly targeted, well-researched, and often involve impersonating trusted parties or compromising legitimate email accounts.

Key Statistics:

• BEC accounts for the largest financial losses in cybercrime

• Often no malware involved - relies on social engineering

• Targets finance, HR, executives, and legal departments

BEC Attack Categories

By Attack Type

Type	Description	Target	Financial Risk
CEO Fraud	Impersonation of executive requesting urgent wire transfer	Finance team	Critical
Account Compromise	Takeover of legitimate email account	Any employee	High
Invoice Fraud	Fake or modified invoices from "vendors"	Accounts Payable	Critical
Vendor Impersonation	Impersonating suppliers/partners	Procurement, Finance	High
Attorney Impersonation	Fake legal requests requiring urgent action	Executives, Finance	High
Data Theft	Targeting HR/Finance for W-2s, PII, payroll data	HR, Payroll	High
Gift Card Scam	Request to purchase gift cards	Any employee	Medium
Payroll Diversion	Request to change direct deposit information	HR, Payroll	High

By Compromise Method

Method	Description	Detection Difficulty
Spoofing	Forging sender address to appear legitimate	Low-Medium
Look-alike Domains	Using domains similar to legitimate ones (typosquatting)	Medium
Display Name Deception	Matching display name but different email address	Low
Account Takeover (ATO)	Compromising actual email account	High
Mailbox Rule Abuse	Creating rules to hide attacker activity	High
Reply-Chain Hijacking	Inserting into existing email conversations	Very High
Compromised Vendor	Using actually compromised third-party accounts	Very High

BEC Attack Lifecycle

1. Reconnaissance
   └── Research target organisation, executives, vendors, financial processes

2. Initial Contact / Compromise
   ├── Phishing for credentials
   ├── Domain spoofing setup
   └── Account takeover

3. Establish Presence (if ATO)
   ├── Create inbox rules to hide activity
   ├── Monitor email for opportunities
   └── Gather intelligence on processes

4. Execution
   ├── Send fraudulent request
   ├── Create urgency/pressure
   └── Provide payment instructions

5. Cash Out
   ├── Wire transfer to attacker account
   ├── Gift card codes sent
   └── Payroll diverted

---

Detection Sources & Data Mapping

Log Sources Matrix

Platform	Log Table	BEC-Relevant Data
Defender for Office	EmailEvents	Email metadata, delivery status
Defender for Office	EmailAttachmentInfo	Attachment analysis
Defender for Office	EmailUrlInfo	URLs in emails
Defender for Office	EmailPostDeliveryEvents	Post-delivery actions (ZAP)
Defender for Office	UrlClickEvents	User URL clicks
Exchange Online	OfficeActivity	Mailbox operations, rules
Exchange Online	CloudAppEvents	Mail send, forwarding
Entra ID	SigninLogs	Account access patterns
Entra ID	AuditLogs	Account changes
Entra ID	AADNonInteractiveUserSignInLogs	App-based sign-ins
Entra ID	RiskyUsers, RiskySignIns	Identity Protection alerts
Sentinel	SecurityAlert	Correlated BEC alerts
Sentinel	ThreatIntelligenceIndicator	Known BEC IOCs

Critical Detection Indicators

Email-Level Indicators

Indicator	Description	Risk Level
External sender with internal display name	Spoofing executive names	High
Look-alike domain	Typosquatted or similar domain	High
Reply-to mismatch	Reply address differs from sender	High
First-time sender	Never communicated before	Medium
Urgent financial request	Wire transfer, gift cards	Critical
Changed banking details	New account information	Critical
External forwarding rule	Mail forwarded outside org	Critical
Unusual sending patterns	Off-hours, unusual recipients	Medium

Account Compromise Indicators

Indicator	Description	Risk Level
Impossible travel	Sign-ins from distant locations	High
New inbox rules	Especially delete/forward rules	Critical
Suspicious sign-in properties	New device, browser, location	Medium
Mail forwarding changes	SMTP forwarding added	Critical
Delegate access added	New mailbox permissions	High
Bulk email operations	Mass delete, forward, export	High
OAuth app consent	New app with mail permissions	High
Legacy protocol sign-in	IMAP/POP3 authentication	High

Behavioral Indicators

Indicator	Description	Risk Level
Urgency language	"ASAP", "urgent", "confidential"	Medium
Authority assertion	"CEO approved", "don't tell anyone"	High
Process bypass requests	"Skip normal approval"	Critical
Gift card requests	Purchase and send codes	High
Banking change requests	New wire instructions	Critical
W-2/Tax form requests	Bulk PII requests	High
Unusual payment amounts	Outside normal ranges	Medium

---

Investigation Workflows

BEC Alert Triage

Objective: Quickly assess if a reported email is a BEC attempt and determine if any action has been taken.

Step 1: Initial Assessment

1. Identify the reported email (subject, sender, recipient, time)

2. Determine alert source (user report, automated detection, MDO)

3. Check if email was delivered or blocked

4. Assess the request type (wire transfer, gift cards, data)

5. Determine urgency based on potential financial impact

Step 2: Email Analysis

1. Review email headers for spoofing indicators

2. Check sender domain reputation and age

3. Analyze display name vs. actual email address

4. Review reply-to address configuration

5. Check for look-alike domain usage

6. Examine email content for social engineering tactics

Step 3: Recipient Impact Assessment

1. Identify all recipients of the email

2. Check if any recipients replied or clicked links

3. Review any attachments opened

4. Determine if any actions were taken (wire sent, etc.)

5. Contact recipients to verify no action taken

Step 4: Classification

Classification	Criteria	Action
External Impersonation	Spoofed/look-alike domain	Block domain, warn users
Account Compromise	Sent from legitimate internal account	Contain account, full investigation
Vendor Compromise	From actual compromised vendor	Contact vendor, block sender
False Positive	Legitimate email incorrectly flagged	Whitelist, close alert

---

Account Takeover (ATO) Investigation

Objective: Investigate suspected email account compromise used for BEC.

Step 1: Confirm Compromise

1. Review sign-in logs for anomalies

2. Check for impossible travel scenarios

3. Look for new device/browser/location sign-ins

4. Review MFA challenge results

5. Check Identity Protection risk scores

Step 2: Assess Mailbox Activity

1. Query mailbox audit logs for suspicious operations

2. Check for inbox rule creation/modification

3. Review sent items for unauthorised emails

4. Check deleted items for evidence destruction

5. Review mail forwarding configuration

Step 3: Identify Attacker Actions

1. Map timeline of unauthorised access

2. Identify emails sent by attacker

3. Document inbox rules created

4. Check for OAuth app consents

5. Review delegate access changes

Step 4: Determine Impact

1. List all recipients of fraudulent emails

2. Check if financial requests were made

3. Identify any data exfiltrated

4. Review if other accounts were targeted

5. Assess vendor/partner notification needs

Step 5: Containment

1. Reset user password immediately

2. Revoke all active sessions

3. Remove malicious inbox rules

4. Disable mail forwarding

5. Revoke suspicious OAuth apps

6. Enable/verify MFA

7. Block attacker IPs if identified

---

Invoice/Payment Fraud Investigation

Objective: Investigate BEC attempts targeting financial transactions.

Step 1: Email Trail Analysis

1. Locate the original fraudulent email

2. Identify the full email thread/conversation

3. Determine if legitimate thread was hijacked

4. Check for prior reconnaissance emails

5. Document all related communications

Step 2: Financial Request Analysis

1. Review the specific financial request

2. Compare requested account to known vendor details

3. Verify with vendor through separate channel

4. Check for recent "banking change" notifications

5. Review invoice details for inconsistencies

Step 3: Payment Status

Status	Immediate Action
Not Sent	Block payment, warn finance team
Pending	Cancel immediately, contact bank
Sent < 24 hours	Contact bank for recall
Sent > 24 hours	Contact bank, likely unrecoverable

Step 4: Source Identification

1. Determine if sender account was compromised

2. Check if vendor's email was compromised

3. Identify if domain spoofing was used

4. Review for man-in-the-middle indicators

5. Check for prior account access anomalies

Step 5: Recovery Actions

1. Contact bank immediately for wire recall

2. File IC3/FBI complaint for significant amounts

3. Preserve all evidence for law enforcement

4. Notify cyber insurance carrier

5. Document timeline for legal purposes

---

Executive Impersonation Investigation

Objective: Investigate BEC attempts impersonating executives.

Step 1: Impersonation Analysis

1. Identify the impersonated executive

2. Compare spoofed email to legitimate address

3. Check domain registration details

4. Review email authentication results (SPF/DKIM/DMARC)

5. Analyse writing style and signature

Step 2: Target Analysis

1. Identify all recipients targeted

2. Determine why these recipients were chosen

3. Check for prior reconnaissance against targets

4. Review if organisational info is publicly available

5. Assess social engineering sophistication

Step 3: Campaign Scope

1. Search for similar emails to other employees

2. Check for other impersonated executives

3. Look for variations in sender domains

4. Identify common infrastructure (IPs, domains)

5. Determine if targeted campaign or spray attack

Step 4: Response Coordination

1. Alert executive being impersonated

2. Send targeted warning to potential victims

3. Block identified spoofing infrastructure

4. Update email filters/rules

5. Consider organisation-wide alert

---

Inbox Rule Abuse Investigation

Objective: Investigate malicious inbox rules created by attackers.

Common Malicious Rule Patterns

Rule Type	Purpose	Detection
Delete incoming	Hide responses about fraud	Rule deletes from specific senders
Move to RSS/Archive	Hide from primary view	Rule moves to obscure folders
Forward externally	Exfiltrate ongoing mail	Forwarding to external address
Delete sent items	Hide attacker's emails	Rule deletes sent mail
Mark as read	Prevent notification	Rule marks as read immediately
Auto-reply	Automate responses	Suspicious auto-reply content

Investigation Steps

1. Export all inbox rules

   • Query OfficeActivity for rule operations

   • Review current rules via PowerShell/Admin Center

   • Check for hidden/obfuscated rules

2. Analyse rule creation timeline

   • Correlate with sign-in anomalies

   • Check who created the rules

   • Identify source IP/device

3. Assess rule impact

   • Determine what mail was affected

   • Check forwarding destinations

   • Review deleted/moved messages

4. Remove malicious rules

   • Delete all attacker-created rules

   • Document rules for evidence

   • Monitor for re-creation

---

KQL Query Cheat Sheet

Email Analysis Queries

Suspicious External Senders with Internal Display Names

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where SenderFromDomain != "yourdomain.com"
| extend DisplayName = extract(@"^([^<]+)", 1, SenderFromAddress)
| where DisplayName has_any ("CEO Name", "CFO Name", "Controller Name")  // Add your executives
| project Timestamp, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, DisplayName
| sort by Timestamp desc

Look-alike Domain Detection

let legitimateDomains = dynamic(["yourdomain.com", "vendor1.com", "vendor2.com"]);
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where SenderFromDomain !in (legitimateDomains)
| extend DomainSimilarity = 
    case(
        SenderFromDomain matches regex @"yourdoma[il1]n\.com", "Typosquat",
        SenderFromDomain matches regex @"y0urdomain\.com", "Homoglyph",
        SenderFromDomain matches regex @"yourdomain-.*\.com", "Hyphenated",
        SenderFromDomain matches regex @"yourdomain\..*", "TLD variation",
        "Other"
    )
| where DomainSimilarity != "Other"
| summarize Count = count(), Recipients = make_set(RecipientEmailAddress) by SenderFromDomain, DomainSimilarity
| sort by Count desc

Reply-To Mismatch Detection

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where isnotempty(SenderReplyToAddress)
| where SenderFromAddress != SenderReplyToAddress
| where SenderReplyToAddress !endswith "yourdomain.com"
| project Timestamp, Subject, SenderFromAddress, SenderReplyToAddress, RecipientEmailAddress
| sort by Timestamp desc

First-Time Sender to Executive

let executives = dynamic(["ceo@yourdomain.com", "cfo@yourdomain.com", "controller@yourdomain.com"]);
let baseline = EmailEvents
| where Timestamp between (ago(90d) .. ago(7d))
| where RecipientEmailAddress in (executives)
| summarize by SenderFromAddress, RecipientEmailAddress;
EmailEvents
| where Timestamp > ago(7d)
| where RecipientEmailAddress in (executives)
| where EmailDirection == "Inbound"
| join kind=leftanti baseline on SenderFromAddress, RecipientEmailAddress
| project Timestamp, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress
| sort by Timestamp desc

Emails with Financial Keywords

EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
| where Subject has_any (
    "wire transfer",
    "bank account",
    "payment",
    "invoice",
    "urgent",
    "confidential",
    "gift card",
    "direct deposit",
    "W-2",
    "W2",
    "tax form",
    "ACH",
    "routing number"
)
| project Timestamp, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, DeliveryAction
| sort by Timestamp desc

---

Account Compromise Detection

Sign-in Anomalies for Mail Users

SigninLogs
| where TimeGenerated > ago(7d)
| where AppDisplayName has_any ("Outlook", "Exchange", "Office 365")
| where ResultType == 0  // Successful
| summarize 
    Locations = make_set(Location),
    IPs = make_set(IPAddress),
    Devices = make_set(DeviceDetail.displayName),
    SignInCount = count()
    by UserPrincipalName
| where array_length(Locations) > 3 or array_length(IPs) > 10
| sort by array_length(Locations) desc

Impossible Travel for Email Access

SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("Outlook", "Exchange", "Office 365")
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location, IPAddress, AppDisplayName
| sort by UserPrincipalName, TimeGenerated asc
| serialize
| extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser and Location != PrevLocation
| extend TimeDiffMinutes = datetime_diff('minute', TimeGenerated, PrevTime)
| where TimeDiffMinutes < 60
| project TimeGenerated, UserPrincipalName, Location, PrevLocation, TimeDiffMinutes, IPAddress

Legacy Protocol Authentication

SigninLogs
| where TimeGenerated > ago(7d)
| where ClientAppUsed in ("Exchange ActiveSync", "IMAP4", "POP3", "SMTP", "Other clients")
| where ResultType == 0
| summarize 
    AuthCount = count(),
    IPs = make_set(IPAddress),
    Locations = make_set(Location)
    by UserPrincipalName, ClientAppUsed
| sort by AuthCount desc

New OAuth App Consent with Mail Permissions

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties[4].newValue)
| extend ConsentedBy = tostring(InitiatedBy.user.userPrincipalName)
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite", "Mail.Send", "MailboxSettings")
| project TimeGenerated, AppName, Permissions, ConsentedBy, Result
| sort by TimeGenerated desc

---

Mailbox Activity Analysis

Inbox Rule Creation/Modification

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Enable-InboxRule")
| extend RuleName = tostring(parse_json(RawEventData).Parameters[0].Value)
| extend RuleConditions = tostring(RawEventData)
| project Timestamp, AccountDisplayName, ActionType, RuleName, RuleConditions, IPAddress
| sort by Timestamp desc

Suspicious Inbox Rules (Forwarding/Deletion)

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("New-InboxRule", "Set-InboxRule")
| extend RawData = parse_json(RawEventData)
| extend Parameters = RawData.Parameters
| mv-expand Parameters
| where Parameters.Name in ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo", "DeleteMessage", "MoveToFolder")
| extend RuleName = tostring(RawData.Parameters[0].Value)
| extend ParameterName = tostring(Parameters.Name)
| extend ParameterValue = tostring(Parameters.Value)
| project Timestamp, AccountDisplayName, RuleName, ParameterName, ParameterValue, IPAddress
| sort by Timestamp desc

Email Forwarding Configuration Changes

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("Set-Mailbox", "Set-MailboxJunkEmailConfiguration")
| where RawEventData has_any ("ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward")
| extend ModifiedProperties = parse_json(RawEventData).Parameters
| project Timestamp, AccountDisplayName, ActionType, ModifiedProperties, IPAddress
| sort by Timestamp desc

Bulk Email Operations

CloudAppEvents
| where Timestamp > ago(24h)
| where ActionType in ("SoftDelete", "HardDelete", "Move", "MoveToDeletedItems")
| summarize 
    OperationCount = count(),
    Operations = make_set(ActionType)
    by AccountDisplayName, bin(Timestamp, 1h)
| where OperationCount > 50
| sort by OperationCount desc

Delegate/Permission Changes

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("Add-MailboxPermission", "Add-RecipientPermission", "Set-Mailbox")
| where RawEventData has_any ("FullAccess", "SendAs", "SendOnBehalf", "GrantSendOnBehalfTo")
| extend ModifiedMailbox = tostring(parse_json(RawEventData).Parameters[0].Value)
| extend GrantedTo = tostring(parse_json(RawEventData).Parameters[1].Value)
| project Timestamp, AccountDisplayName, ActionType, ModifiedMailbox, GrantedTo, IPAddress
| sort by Timestamp desc

---

Sent Email Analysis

Emails Sent to External Recipients

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "Send"
| extend Recipients = tostring(parse_json(RawEventData).Recipients)
| where Recipients !has "yourdomain.com"
| summarize 
    ExternalSends = count(),
    Recipients = make_set(Recipients, 20)
    by AccountDisplayName, bin(Timestamp, 1d)
| where ExternalSends > 50
| sort by ExternalSends desc

Emails with Wire Transfer Keywords (Sent)

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "Send"
| extend Subject = tostring(parse_json(RawEventData).Subject)
| where Subject has_any ("wire", "transfer", "payment", "bank account", "routing", "ACH")
| extend Recipients = tostring(parse_json(RawEventData).Recipients)
| project Timestamp, AccountDisplayName, Subject, Recipients, IPAddress
| sort by Timestamp desc

Unusual Sending Patterns (Off-Hours)

CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "Send"
| extend Hour = hourofday(Timestamp)
| extend DayOfWeek = dayofweek(Timestamp)
| where Hour < 6 or Hour > 22 or DayOfWeek in (0d, 6d)  // Off-hours or weekends
| summarize 
    OffHoursSends = count(),
    Subjects = make_set(tostring(parse_json(RawEventData).Subject), 10)
    by AccountDisplayName
| where OffHoursSends > 10
| sort by OffHoursSends desc

---

Threat Intelligence Correlation

Known BEC Domains

let becDomains = externaldata(Domain: string)
[@"https://your-threat-intel/bec-domains.csv"] with (format="csv");
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain in (becDomains)
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryAction

Emails from Recently Registered Domains

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| join kind=inner (
    // If you have domain age data in threat intel
    ThreatIntelligenceIndicator
    | where IndicatorType == "domain"
    | extend DomainAge = datetime_diff('day', now(), ExpirationDateTime)
    | where DomainAge < 30
    | project Domain = DomainName
) on $left.SenderFromDomain == $right.Domain
| project Timestamp, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress

---

Investigation Queries

Full Email Timeline for User

let targetUser = "user@yourdomain.com";
let timeframe = 7d;
union
    (EmailEvents
    | where Timestamp > ago(timeframe)
    | where RecipientEmailAddress =~ targetUser or SenderFromAddress =~ targetUser
    | project Timestamp, EventType = "Email", Details = strcat(SenderFromAddress, " -> ", RecipientEmailAddress, ": ", Subject)),
    (CloudAppEvents
    | where Timestamp > ago(timeframe)
    | where AccountDisplayName =~ targetUser
    | where ActionType in ("Send", "MailItemsAccessed", "New-InboxRule", "Set-InboxRule")
    | project Timestamp, EventType = ActionType, Details = tostring(RawEventData)),
    (SigninLogs
    | where TimeGenerated > ago(timeframe)
    | where UserPrincipalName =~ targetUser
    | where AppDisplayName has_any ("Outlook", "Exchange", "Office")
    | project Timestamp = TimeGenerated, EventType = "SignIn", Details = strcat(Location, " - ", IPAddress, " - ", AppDisplayName))
| sort by Timestamp asc

Identify All Emails in Fraudulent Thread

let fraudSubject = "Re: Urgent Wire Transfer";
let timeframe = 30d;
EmailEvents
| where Timestamp > ago(timeframe)
| where Subject has fraudSubject or ConversationId == "conversation-id-here"
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, ConversationId
| sort by Timestamp asc

Cross-Reference Sign-ins with Email Activity

let targetUser = "compromised@yourdomain.com";
let suspiciousIP = "1.2.3.4";
union
    (SigninLogs
    | where TimeGenerated > ago(7d)
    | where UserPrincipalName =~ targetUser
    | where IPAddress == suspiciousIP
    | project Timestamp = TimeGenerated, Activity = "SignIn", Details = strcat(AppDisplayName, " from ", Location))),
    (CloudAppEvents
    | where Timestamp > ago(7d)
    | where AccountDisplayName =~ targetUser
    | where IPAddress == suspiciousIP
    | project Timestamp, Activity = ActionType, Details = tostring(RawEventData))
| sort by Timestamp asc

---

Response Actions & Remediation

Immediate Response Actions

BEC Email Reported (No Action Taken)

Step	Action	Tool/Method
1	Block sender domain	Exchange Admin / MDO
2	Delete email from all mailboxes	Threat Explorer - Soft Delete
3	Add domain to block list	MDO Tenant Allow/Block List
4	Submit to Microsoft	Report as phishing
5	Alert targeted users	Direct communication
6	Update email rules	Transport rules if needed

Account Compromise Confirmed

Step	Action	Tool/Method
1	Reset password immediately	Entra ID / AD
2	Revoke all sessions	Revoke-MgUserSignInSession
3	Remove malicious inbox rules	Exchange Admin / PowerShell
4	Disable mail forwarding	Exchange Admin
5	Revoke OAuth app consents	Entra ID Enterprise Apps
6	Enable/Reset MFA	Entra ID
7	Review sent items	Search for fraudulent emails
8	Notify recipients of fraudulent emails	Direct contact
9	Block attacker IPs	Conditional Access
10	Monitor for re-compromise	Enhanced monitoring

Financial Fraud Occurred

Step	Action	Timeline
1	Contact bank immediately	Within minutes
2	Request wire recall	ASAP (< 24 hours critical)
3	Preserve all evidence	Immediately
4	File IC3 complaint	Same day
5	Notify cyber insurance	Same day
6	Engage law enforcement	If significant amount
7	Document everything	Ongoing

PowerShell Remediation Commands

Account Containment

# Connect to Exchange Online
Connect-ExchangeOnline

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Mail.ReadWrite"

# Block sign-in
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false

# Revoke all sessions
Revoke-MgUserSignInSession -UserId "user@domain.com"

# Reset password (requires additional permissions)
$newPassword = ConvertTo-SecureString "TempP@ssw0rd123!" -AsPlainText -Force
Update-MgUser -UserId "user@domain.com" -PasswordProfile @{
    Password = "TempP@ssw0rd123!"
    ForceChangePasswordNextSignIn = $true
}

Remove Malicious Inbox Rules

# List all inbox rules
Get-InboxRule -Mailbox "user@domain.com" | Format-List Name, Description, Enabled, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage, MoveToFolder

# Remove specific rule
Remove-InboxRule -Mailbox "user@domain.com" -Identity "Rule Name" -Confirm:$false

# Remove ALL inbox rules (use with caution)
Get-InboxRule -Mailbox "user@domain.com" | Remove-InboxRule -Confirm:$false

# Check for forwarding
Get-Mailbox "user@domain.com" | Select-Object ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward

# Remove forwarding
Set-Mailbox "user@domain.com" -ForwardingSmtpAddress $null -ForwardingAddress $null -DeliverToMailboxAndForward $false

Remove OAuth App Consents

# List OAuth grants for user
$userId = (Get-MgUser -UserId "user@domain.com").Id
Get-MgUserOauth2PermissionGrant -UserId $userId | Format-List

# Get service principals with delegated permissions
$grants = Get-MgUserOauth2PermissionGrant -UserId $userId
foreach ($grant in $grants) {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $grant.ClientId
    Write-Host "App: $($sp.DisplayName) - Scopes: $($grant.Scope)"
}

# Remove specific OAuth grant
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId "grant-id"

Purge Malicious Emails

# Using Compliance Search (Security & Compliance PowerShell)
Connect-IPPSSession

# Create search
New-ComplianceSearch -Name "BEC_Purge_$(Get-Date -Format 'yyyyMMdd')" `
    -ExchangeLocation All `
    -ContentMatchQuery 'from:attacker@malicious.com AND subject:"Wire Transfer Request"'

# Start search
Start-ComplianceSearch -Identity "BEC_Purge_$(Get-Date -Format 'yyyyMMdd')"

# Check status
Get-ComplianceSearch -Identity "BEC_Purge_$(Get-Date -Format 'yyyyMMdd')"

# Purge results (Soft Delete)
New-ComplianceSearchAction -SearchName "BEC_Purge_$(Get-Date -Format 'yyyyMMdd')" -Purge -PurgeType SoftDelete

# Purge results (Hard Delete - use with caution)
New-ComplianceSearchAction -SearchName "BEC_Purge_$(Get-Date -Format 'yyyyMMdd')" -Purge -PurgeType HardDelete

Block Sender Domain

# Add to Tenant Block List
New-TenantAllowBlockListItems -ListType Sender -Block -Entries "malicious-domain.com" -NoExpiration

# Create transport rule to block domain
New-TransportRule -Name "Block BEC Domain - malicious-domain.com" `
    -FromAddressMatchesPatterns "@malicious-domain\.com$" `
    -DeleteMessage $true `
    -SetSCL 9

---

Quick Reference Cards

BEC Red Flags Checklist

Email Content Red Flags

• [ ] Urgent or time-sensitive request

• [ ] Request to bypass normal procedures

• [ ] Request for secrecy ("don't tell anyone")

• [ ] Changed payment/banking details

• [ ] Gift card purchase request

• [ ] W-2 or employee data request

• [ ] Unusual sender for request type

• [ ] Grammar/spelling inconsistent with sender

• [ ] Generic greeting instead of personal

Technical Red Flags

• [ ] External sender with internal display name

• [ ] Reply-to differs from sender address

• [ ] Newly registered domain (< 30 days)

• [ ] Look-alike/typosquatted domain

• [ ] Failed SPF/DKIM/DMARC

• [ ] Sent from free email provider

• [ ] Embedded links to credential harvest

• [ ] Attachment with macro/script

Account Red Flags

• [ ] Sign-in from new location

• [ ] Impossible travel detected

• [ ] New inbox rules created

• [ ] Mail forwarding enabled

• [ ] OAuth app with mail permissions

• [ ] Legacy protocol authentication

• [ ] Bulk email deletions

• [ ] Off-hours activity

Domain Analysis Quick Reference

Check	Tool/Method	What to Look For
Domain Age	WHOIS lookup	< 30 days = suspicious
Registration	WHOIS	Privacy protection, unusual registrar
Similarity	Visual comparison	Typos, homoglyphs, hyphens
MX Records	DNS lookup	Legitimate mail infrastructure
SPF/DKIM/DMARC	Email headers	Pass/Fail status
Reputation	VirusTotal, URLVoid	Known malicious indicators
SSL Certificate	Browser/SSLLabs	Valid cert, matches domain

Email Header Analysis

Header	What to Check
From:	Display name vs. actual address
Reply-To:	Matches From? Different domain?
Return-Path:	Envelope sender, should match
Received:	Mail server path, originating IP
Authentication-Results:	SPF, DKIM, DMARC pass/fail
X-Originating-IP:	Sender's IP address
Message-ID:	Domain should match sender
X-MS-Exchange-*	Microsoft-specific headers

Common BEC Phrases

Category	Example Phrases
Urgency	"ASAP", "urgent matter", "time-sensitive", "need this today"
Secrecy	"keep this confidential", "between us", "don't discuss with others"
Authority	"CEO approved", "I've already authorized", "board decision"
Unavailability	"I'm in a meeting", "traveling", "can't talk now"
Process Bypass	"skip normal process", "exception this time", "I'll approve later"
Financial	"wire transfer", "updated bank details", "new account"

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Wire transfer sent, active ATO with ongoing fraud, multiple executives compromised	Immediate - 15 min
🟠 High	Wire transfer requested (not sent), confirmed ATO, finance team targeted	30 min - 1 hour
🟡 Medium	BEC attempt blocked, suspicious account activity, single user targeted	4 hours
🟢 Low	Obvious spam/phishing, blocked by filters, no user interaction	Next business day

Escalation Triggers

Condition	Escalation Level
Wire transfer completed	DFIR + Legal + Finance + CISO
Wire transfer pending	Tier 2 SOC + Finance (urgent)
Executive account compromised	DFIR + Tier 2 SOC + CISO
Multiple accounts compromised	DFIR + Tier 2 SOC
Vendor compromise suspected	Tier 2 SOC + Procurement
Data exfiltration (W-2, PII)	DFIR + Legal + HR + Privacy
> $50,000 potential exposure	CISO + Legal + Finance

External Notifications

Scenario	Notify	Timeline
Wire fraud > $50,000	FBI IC3, Local FBI field office	Immediately
Any wire fraud	Bank fraud department	Immediately
Wire fraud	Cyber insurance carrier	Within 24 hours
Data breach (PII)	Legal for regulatory assessment	Within 24 hours
Vendor compromise	Affected vendor	After internal assessment
Customer impact	Affected customers	Per legal/regulatory requirements

---

MITRE ATT&CK Mapping

Initial Access

Technique	ID	Description	Detection
Phishing: Spearphishing Attachment	T1566.001	Malicious attachment to gain access	EmailAttachmentInfo, MDO alerts
Phishing: Spearphishing Link	T1566.002	Malicious link to credential harvest	EmailUrlInfo, UrlClickEvents
Phishing: Spearphishing via Service	T1566.003	Via LinkedIn, social media	User reports
Valid Accounts: Cloud Accounts	T1078.004	Compromised cloud credentials	SigninLogs anomalies

Persistence

Technique	ID	Description	Detection
Account Manipulation: Email Forwarding	T1098.002	Auto-forward to external	OfficeActivity, CloudAppEvents
Account Manipulation: Additional Cloud Roles	T1098.003	Grant additional permissions	AuditLogs
Office Application Startup: Outlook Rules	T1137.005	Malicious inbox rules	CloudAppEvents (New-InboxRule)

Collection

Technique	ID	Description	Detection
Email Collection: Local Email Collection	T1114.001	Export mailbox locally	OfficeActivity (Export)
Email Collection: Remote Email Collection	T1114.002	Access via compromised account	MailItemsAccessed
Email Collection: Email Forwarding Rule	T1114.003	Forward to attacker	Inbox rules with forward

Impact

Technique	ID	Description	Detection
Financial Theft	T1657	Wire fraud, invoice manipulation	User reports, email content analysis

Relevant Reconnaissance

Technique	ID	Description	Detection
Gather Victim Org Information	T1591	Research organization structure	N/A (external)
Gather Victim Identity Information: Email Addresses	T1589.002	Harvest email addresses	N/A (external)
Search Open Websites/Domains	T1593	Find org info publicly	N/A (external)

---

Prevention & Hardening

Email Security Configuration

DMARC Implementation

# DNS TXT Record for DMARC
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"

DMARC Policy	Description	Recommendation
p=none	Monitor only	Initial deployment
p=quarantine	Send to spam	Intermediate
p=reject	Block delivery	Production

Transport Rules for BEC Protection

# Warn on external emails impersonating executives
New-TransportRule -Name "External Executive Impersonation Warning" `
    -FromScope NotInOrganization `
    -HeaderMatchesMessageHeader "From" `
    -HeaderMatchesPatterns "CEO Name|CFO Name|Controller Name" `
    -PrependSubject "[EXTERNAL - VERIFY SENDER] " `
    -SetSCL 5

# Block external senders using internal domain in display name
New-TransportRule -Name "Block Spoofed Internal Display Name" `
    -FromScope NotInOrganization `
    -HeaderMatchesMessageHeader "From" `
    -HeaderMatchesPatterns "@yourdomain\.com" `
    -DeleteMessage $true

Defender for Office 365 Configuration

Feature	Setting	Purpose
Anti-phishing	Enable impersonation protection	Protect executives/VIPs
Anti-phishing	Enable mailbox intelligence	Learn user patterns
Safe Links	Enable URL rewriting	Protect against malicious links
Safe Attachments	Enable dynamic delivery	Scan attachments
User reported	Enable report button	Easy user reporting

User Awareness Checklist

Training Topics

• [ ] What is BEC and why it's dangerous

• [ ] Recognising suspicious email characteristics

• [ ] Verifying financial requests out-of-band

• [ ] Reporting suspicious emails properly

• [ ] Never sharing credentials via email

• [ ] Recognising urgency manipulation

Verification Procedures

Request Type	Verification Method
Wire transfer	Phone call to known number
Bank account change	In-person or video verification
Gift card purchase	Phone call to requester
W-2/Tax data	HR verification
Password/Credential	Never provide via email
Large purchases	Multi-person approval

---

Appendix: Investigation Commands

Email Header Analysis

# Get message trace
Get-MessageTrace -SenderAddress "sender@domain.com" -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)

# Get detailed message trace
Get-MessageTraceDetail -MessageTraceId "message-trace-id" -RecipientAddress "recipient@yourdomain.com"

# Get message headers
$headers = Get-MessageTrace -MessageId "<message-id>" | Get-MessageTraceDetail
$headers | Where-Object {$_.Event -eq "Receive"} | Select-Object -ExpandProperty Data

Mailbox Forensics

# Search mailbox audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
    -UserIds "user@yourdomain.com" `
    -Operations "New-InboxRule","Set-InboxRule","Set-Mailbox","MailItemsAccessed" `
    -ResultSize 1000

# Get mailbox folder statistics (identify hidden folders)
Get-MailboxFolderStatistics -Identity "user@yourdomain.com" | 
    Select-Object Name, FolderPath, ItemsInFolder, FolderSize |
    Sort-Object ItemsInFolder -Descending

# Get mailbox audit log (classic)
Search-MailboxAuditLog -Identity "user@yourdomain.com" -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -ShowDetails

OAuth App Investigation

# List all OAuth apps with mail permissions
$servicePrincipals = Get-MgServicePrincipal -All
foreach ($sp in $servicePrincipals) {
    $grants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id
    $mailGrants = $grants | Where-Object {$_.Scope -match "Mail"}
    if ($mailGrants) {
        Write-Host "App: $($sp.DisplayName)"
        Write-Host "  Scopes: $($mailGrants.Scope)"
        Write-Host "  ConsentType: $($mailGrants.ConsentType)"
        Write-Host ""
    }
}

# Get app role assignments
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "app-id" | 
    Select-Object AppRoleId, PrincipalDisplayName, CreatedDateTime

Evidence Preservation

# Export mailbox to PST (requires eDiscovery)
# Create eDiscovery case in Compliance Center first

# Export audit logs
$auditLogs = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
    -UserIds "compromised@yourdomain.com" -ResultSize 5000
$auditLogs | Export-Csv "BEC_AuditLogs_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Export sign-in logs via Graph
$signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'compromised@yourdomain.com'" -Top 1000
$signIns | Export-Csv "BEC_SignIns_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Export inbox rules
$rules = Get-InboxRule -Mailbox "compromised@yourdomain.com"
$rules | Export-Csv "BEC_InboxRules_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Bulk User Analysis

# Check all users for forwarding rules
$mailboxes = Get-Mailbox -ResultSize Unlimited
$forwardingEnabled = @()

foreach ($mbx in $mailboxes) {
    if ($mbx.ForwardingSmtpAddress -or $mbx.ForwardingAddress) {
        $forwardingEnabled += [PSCustomObject]@{
            User = $mbx.UserPrincipalName
            ForwardingSmtpAddress = $mbx.ForwardingSmtpAddress
            ForwardingAddress = $mbx.ForwardingAddress
            DeliverToMailboxAndForward = $mbx.DeliverToMailboxAndForward
        }
    }
}

$forwardingEnabled | Export-Csv "Forwarding_Audit.csv" -NoTypeInformation

# Check all users for inbox rules with external forwarding
$allRules = @()
foreach ($mbx in $mailboxes) {
    $rules = Get-InboxRule -Mailbox $mbx.UserPrincipalName -ErrorAction SilentlyContinue
    $suspiciousRules = $rules | Where-Object {
        $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage
    }
    foreach ($rule in $suspiciousRules) {
        $allRules += [PSCustomObject]@{
            User = $mbx.UserPrincipalName
            RuleName = $rule.Name
            ForwardTo = $rule.ForwardTo
            RedirectTo = $rule.RedirectTo
            DeleteMessage = $rule.DeleteMessage
            Enabled = $rule.Enabled
        }
    }
}

$allRules | Export-Csv "InboxRules_Audit.csv" -NoTypeInformation

---

BEC attacks represent the highest financial risk category in cybercrime. Time is critical when wire transfers are involved. Always escalate potential wire fraud immediately—banks have limited windows to recall transfers (typically 24-48 hours, sometimes less).

Document everything meticulously for potential law enforcement involvement and insurance claims.