Recognizing the Signs
Business email compromise (BEC) is one of the most financially damaging cyberattacks affecting small and mid-size businesses. The FBI's Internet Crime Complaint Center reports BEC losses exceeding $2.9 billion annually in the US alone.
You may be dealing with a compromised email account if you notice any of the following:
- Sent items you did not write, especially messages to vendors, clients, or finance contacts
- Inbox rules you did not create, such as rules that auto-delete or forward messages
- Password reset notifications you did not request
- Colleagues or clients reporting suspicious messages from your address
- Unfamiliar sign-in activity in your account's sign-in logs
- Missing emails that should be in your inbox
If any of these apply, treat the account as compromised and act immediately. Speed matters.
Step 1: Contain the Account (Do This First)
The goal is to stop the attacker from continuing to use the account.
Reset the Password
- Have an administrator reset the user's password from the Microsoft Entra admin center
- Use a strong, unique password (16+ characters)
- Do not let the user reset their own password from the compromised account
Revoke Active Sessions
- In the Entra admin center, go to Users > select the user > Sign-in sessions
- Click Revoke all sessions
- This forces the attacker out of any active sessions immediately
Disable the Account Temporarily (If Needed)
If you cannot confirm containment, disable the account entirely until the investigation is complete. In the Entra admin center, go to Users > select the user > Properties > Account status and toggle sign-in to Block sign in. This is the safest option when financial fraud may be in progress.
Step 2: Check for Persistence Mechanisms
Attackers often set up ways to maintain access even after a password change. Check all of the following.
Inbox Rules
- Go to Exchange admin center > Recipients > Mailboxes > select user
- Click Manage mailbox delegation or use PowerShell:
Get-InboxRule -Mailbox user@domain.com - Look for rules that forward, redirect, or delete emails
- Delete any rules you did not create
Mail Forwarding
- In Exchange admin center, check the user's mailbox properties for Email forwarding
- Verify no external forwarding address has been added
- PowerShell:
Get-Mailbox user@domain.com | Select ForwardingAddress,ForwardingSmtpAddress
OAuth App Consents
- In Entra admin center, go to Users > select user > Applications
- Review consented applications
- Revoke any unfamiliar third-party app permissions
Registered Devices and MFA Methods
- Check Authentication methods for the user
- Remove any MFA methods you do not recognize (unfamiliar phone numbers, authenticator apps)
- Check Devices and remove any unrecognized registered devices
Step 3: Assess the Damage
Before you can notify the right people, you need to understand what the attacker did.
Review Sign-In Logs
- Entra admin center > Sign-in logs
- Filter by the affected user
- Look for sign-ins from unusual locations, IP addresses, or devices
- Note the earliest suspicious sign-in to establish a timeline
If your environment is monitored by Huntress, check the Huntress dashboard as well. Huntress provides identity threat detection and response (ITDR) and SIEM capabilities that correlate sign-in anomalies with other suspicious activity across your environment, giving you a more complete picture of the compromise timeline.
Review Audit Logs
- Check Unified audit log in the Microsoft Purview compliance portal
- Filter by the user and time range
- Look for mail access, file downloads, sharing changes, and admin actions
Check for Data Exfiltration
- Were sensitive files accessed or downloaded from SharePoint or OneDrive?
- Were emails forwarded to external addresses?
- Were contact lists or client data exported?
If your organization uses Dropsuite for Microsoft 365 backup, you can compare current mailbox and OneDrive contents against the backup to identify exactly what was deleted, modified, or exported during the compromise window.
Document everything you find. You will need this for notifications and potential legal obligations.
Step 4: Notify Stakeholders
Internal Notification
- Inform your leadership team and legal counsel
- Alert your finance team if the attacker sent payment-related messages
- Notify any employees who received suspicious messages from the compromised account
External Notification
- Contact any clients or vendors who received fraudulent messages
- If financial transactions were redirected, contact your bank immediately (wire recalls have a narrow window)
- If personal data was exposed, you may have breach notification obligations under state law (e.g., CCPA) or industry regulations (e.g., HIPAA)
Law Enforcement
- File a report with the FBI's IC3 if financial fraud occurred
- File a local police report if required by your cyber insurance policy
Step 5: Harden the Account and Environment
After containment and investigation, take these steps to prevent recurrence.
For the Affected Account
- Enable MFA if not already active (see our MFA setup guide)
- Require a fresh MFA registration
- Review and re-consent only necessary OAuth applications
For the Entire Organization
- Enable Conditional Access policies in Entra ID to require MFA for all users, block legacy authentication protocols, and restrict sign-ins from non-compliant devices. Conditional Access, included with Microsoft 365 Business Premium, is significantly more flexible than Security Defaults and should be the standard for any organization that has experienced a compromise.
- Disable legacy authentication (IMAP, POP3, SMTP basic auth) tenant-wide. These protocols do not support MFA and are a common entry point for credential-based attacks.
- Deploy anti-phishing policies in Microsoft Defender for Office 365 to detect impersonation attempts and block malicious attachments and links before they reach inboxes.
- Deploy Huntress across all endpoints and identities. Huntress provides 24/7 SOC monitoring with human threat hunters, identity threat detection (ITDR), and SIEM. This ensures that if credentials are compromised again, the suspicious sign-in activity is caught and responded to by a human analyst before the attacker can act.
- Train employees on recognizing phishing and BEC tactics. Huntress also provides security awareness training with phishing simulations to measure and improve your team's ability to spot these attacks.
- Implement email authentication (SPF, DKIM, DMARC) to prevent domain spoofing
Timeline Summary
| Time Frame | Action |
|---|---|
| First 15 minutes | Reset password, revoke sessions, disable account if needed |
| First hour | Check inbox rules, forwarding, OAuth consents, MFA methods |
| First 4 hours | Review sign-in and audit logs, assess data exposure |
| First 24 hours | Notify internal stakeholders, affected clients, and vendors |
| First 48 hours | Contact bank for wire recalls, file IC3 report if needed |
| First week | Harden environment, enable MFA, deploy anti-phishing policies |
| Ongoing | Employee training, regular access reviews, phishing simulations |
When to Call for Help
If your organization does not have in-house security expertise, do not try to handle a BEC incident alone. The financial and legal risks are significant.
Athencia provides incident response support for business email compromise. We handle containment, investigation, remediation, and hardening so you can focus on running your business. Reach out to us if you need assistance.
