Incident Response Playbook: Business Email Compromise (BEC)

Note

Executive Summary: Business Email Compromise (BEC) is a highly targeted form of spear-phishing engineered to deceive employees into performing unauthorized actions, most commonly fraudulent wire transfers or the disclosure of sensitive corporate data. Unlike mass-scale malware campaigns, BEC relies heavily on social engineering, identity spoofing, and often occurs entirely without malicious payloads. This playbook outlines the triage and investigation process to contain financial and reputational damage.

1. The Three Pillars of BEC

BEC attacks generally fall into three distinct operational scenarios. Analysts must quickly identify which paradigm they are investigating.

CEO Fraud (Executive Spoofing)

The threat actor impersonates a high-ranking executive (e.g., CEO, CFO) to order an urgent, highly confidential wire transfer to an employee in the finance department.

Email Account Compromise (EAC)

The attacker gains actual control of an employee’s mailbox. They use the legitimate infrastructure to communicate internally or intercept ongoing vendor conversations.

Invoice Fraud (Vendor Compromise)

The attacker impersonates a legitimate supplier and submits a forged invoice or a formal request to update bank routing details to an attacker-controlled account.

2. Phase 1: Initial Triage and The Authentication Pivot

The primary objective of the initial triage is to determine the technical nature of the attack: Is this a case of external domain spoofing, or has an internal account been actively compromised?

1. Execute Initial Email Triage: Begin by applying the Suspicious Email Analysis Playbook to the reported .eml or .msg sample.
2. The Authentication Pivot (Critical Step): Header analysis dictates the entire trajectory of the investigation. Locate the Authentication-Results header.
   • Result A: dmarc=fail or softfail.
     • Conclusion: This is an External Spoofing attack. The sender domain was forged, and the attacker does NOT control the internal account.
     • Action: Focus the investigation on blocking the source IP, analyzing any enclosed URLs or payloads, and issuing internal security communications.
   • Result B: dmarc=pass and spf=pass.
     • Conclusion: This is a critical scenario. The email was sent legitimately from the authorized mail server. The primary hypothesis immediately shifts to Email Account Compromise (EAC).
     • Action: Immediately transition to Phase 2 (EAC Investigation).

3. Phase 2: Email Account Compromise (EAC) Investigation

If the authentication checks pass (Result B), analysts must assume the threat actor possesses valid credentials or session tokens for the sender’s account.

A. Identity & Access Logs (Entra ID)

The investigation must pivot to the Identity Provider (IdP) logs to confirm unauthorized access.

• Review Microsoft Entra ID Sign-in Logs for the suspected compromised account.
• Hunt for anomalous User-Agents, impossible travel scenarios, or authentications originating from anonymous VPNs/Tor exit nodes.
• Immediate Containment: If a suspicious session is identified, immediately enforce a password reset and revoke all active session tokens for the compromised user.

B. Mapping Attacker Activity (Unified Audit Log)

Once inside the mailbox, BEC actors typically establish persistence and reconnaissance mechanisms. The Microsoft 365 Unified Audit Log (UAL) is the primary hunting ground.

• Malicious Inbox Rules: This is the most common BEC TTP. Attackers execute New-InboxRule to:
  • Silently forward a copy of all incoming emails to an external drop address.
  • Automatically delete or move incoming replies containing keywords like “invoice”, “wire”, “fraud”, or “phishing” to the RSS or Archive folder, hiding the attack from the legitimate user.
• Reconnaissance (MailItemsAccessed): Query the UAL for MailItemsAccessed events to determine if the attacker read sensitive historical emails to learn the company’s billing procedures before striking.

C. Lateral Movement (Message Trace)

Utilize Exchange Online Message Trace to determine if the compromised account was weaponized to send internal phishing emails to other employees or external partners, propagating the breach.

4. Threat Hunting Queries

Leverage the following KQL queries within Microsoft Defender XDR / Sentinel to rapidly identify BEC infrastructure manipulation.

KQL (Malicious Inbox Rules)

hunt_bec_inbox_rules.kql

// Detect the creation of suspicious inbox rules often used in BEC
CloudAppEvents
| where Application == "Exchange Online"
| where ActionType == "New-InboxRule" or ActionType == "Set-InboxRule"
| extend RuleName = tostring(RawEventData.Name)
| extend ForwardTo = tostring(RawEventData.ForwardTo)
| extend DeleteMessage = tostring(RawEventData.DeleteMessage)
// Filter for rules that forward externally or delete messages
| where isnotempty(ForwardTo) or DeleteMessage == "True"
| project TimeGenerated, AccountObjectId, RuleName, ForwardTo, DeleteMessage, IPAddress
| sort by TimeGenerated desc

KQL (Suspicious Sign-ins)

hunt_eac_signins.kql

// Hunt for successful sign-ins from unexpected geographic locations
AADSignInEventsBeta
| where ErrorCode == 0 // Successful sign-in
| where AccountUpn == "suspected.user@yourcompany.com"
// Example: Exclude known legitimate operating countries
| where Country != "US" and Country != "FR"
| project TimeGenerated, AccountUpn, IPAddress, Country, City, UserAgent, ClientAppUsed
| sort by TimeGenerated desc

5. Eradication and Communication

1. Eradication: Delete all unauthorized inbox rules, remove illegitimate delegate permissions, and purge any internal malicious emails sent by the compromised account using compliance search and destroy features.
2. Internal Escalation: Immediately alert the Finance and Legal departments. If wire fraud has occurred, financial institutions must be contacted urgently to attempt an asset freeze.
3. External Communication: If the compromised account was used to contact external partners or vendors, it is crucial to notify them that recent communications may be fraudulent.
4. Remediation: Document the incident. The ultimate remediation for 99% of BEC attacks is the strict, organization-wide enforcement of Multi-Factor Authentication (MFA) and disabling legacy authentication protocols.

---

References & Further Reading

• Microsoft Security: Investigating Business Email Compromise (BEC)
• MITRE ATT&CK:Phishing: Spearphishing Link (T1566.002)
• Related Playbook: Suspicious Email Analysis