Active Business Email Compromise? Speak with an incident responder now. Call 1 (833) 562-5273 Request Help

Business Email Compromise Incident Response

24/7 Emergency Hotline for Business Email Compromise incident response: 1 (833) 562-5273

If a mailbox is compromised: the first hour matters. Attackers often create hidden inbox rules, add forwarding, or register OAuth apps that keep access alive even after a password reset. If you need help, Lockard Security can move fast to contain access, preserve evidence, and stop fraud attempts. Call 1 (833) 562-5273 or request help.

Business Email Compromise incident response is the structured process of stopping an attacker’s access to email and identity systems, investigating what they did, determining financial and data exposure risk, and preventing repeat fraud. BEC most commonly impacts Microsoft 365 (M365), Exchange Online, Entra ID (Azure AD), and Google Workspace, but it can also involve on-prem Exchange, third-party mail gateways, and vendor mail systems. Your priorities should be: contain, investigate, eradicate, and recover, in that order.

BEC is usually not malware Many cases involve credential theft, session tokens, or OAuth consent. EDR may show nothing.

Password reset alone often fails Sessions, OAuth apps, forwarding rules, and delegated access can keep attackers in the loop.

Fraud can occur days to weeks later Attackers commonly monitor real invoices and insert themselves at the perfect time.

On this page

What business email compromise is
How BEC happens in M365 and Google Workspace
Common BEC timelines
High-signal indicators and IOCs
Common BEC fraud scenarios
Our BEC incident response approach
What not to do during a BEC incident
Hardening checklist and best practices
Tabletop exercises and training
FAQ
24/7 business email compromise help

What Business Email Compromise Is

Business Email Compromise (BEC) is a financially motivated attack where an adversary abuses email and identity access to manipulate payments, steal sensitive information, or impersonate trusted employees and vendors. BEC commonly includes account takeover, inbox monitoring, and workflow manipulation rather than obvious malware.

BEC is an identity incident

Most BEC cases live in identity and email telemetry, not in endpoint malware alerts. That means M365 audit logs, Entra ID sign-in logs, and Google Workspace investigation tools are often the most valuable sources of truth.

BEC is a trust and process attack

Attackers study invoice cycles, approval chains, vendor relationships, and executive communication styles. Then they exploit those workflows using impersonation, urgency, and social engineering.

Authoritative reference: CISA provides practical guidance on BEC prevention and response. See CISA Business Email Compromise.

How BEC Happens In M365 And Google Workspace

While every incident differs, most BEC intrusions follow a repeatable pattern. In Microsoft 365 and Google Workspace, the attacker’s goal is to gain reliable access to a mailbox, then remain hidden long enough to monetize.

Step 1: Initial access

Most commonly phishing, credential reuse, OAuth consent abuse, or social engineering of MFA prompts. In some environments, attackers also leverage weak legacy authentication, exposed IMAP/POP, or compromised vendor credentials.

Step 2: Persistence and stealth

Inbox rules, auto-forwarding, mailbox delegation, OAuth app registrations, and session token retention. These are the reasons BEC often survives a basic password reset.

Step 3: Reconnaissance

Reading current threads, searching for invoices, gathering contact lists, learning approval language, and identifying high-value targets such as CFO, AP, payroll, and executive assistants.

Step 4: Monetization

Payment redirection, payroll diversion, gift card scams, sensitive data theft, and vendor impersonation. Attackers often wait for a legitimate invoice event and then insert their instructions.

Key concept: BEC is frequently the final stage of an access problem. If you stop the fraud but do not remove access and persistence, you risk repeat fraud within the same vendor thread.

Common Business Email Compromise Timelines

BEC timelines vary widely, but the most costly cases often involve quiet monitoring before the attacker makes a move. Understanding timeline phases helps you decide what to review first during investigation.

Day 0 to Day 2: Access and setup

Account takeover, new sign-in locations, MFA prompt abuse, OAuth consent, inbox rules, forwarding, or delegated access changes.

Day 2 to Day 14: Monitoring and learning

The attacker reads invoice threads, identifies vendors, and learns internal language and payment approval workflows.

Week 2 to Week 6: Fraud execution

Payment diversion attempts often occur when a real invoice or contract milestone hits. Messages may be timed to maximize urgency.

After fraud: Repeat attempts if access persists

Without full remediation, attackers can re-enter threads, target additional vendors, or pivot to other identities using harvested contacts.

This is why BEC incident response should include both immediate containment and careful review of mail rules, OAuth apps, sign-in sessions, and mailbox activity.

High-Signal Indicators And IOCs For BEC Incident Response

The most reliable indicators of BEC are often configuration and behavior changes, not malware signatures. Use this as a practical checklist. If you have a suspected compromise, Lockard Security can help validate scope quickly and confirm where access exists.

Identity and access indicators (M365 and Entra ID, Google Workspace)

New sign-ins from unusual locations, unusual devices, or impossible travel patterns
Unexpected MFA device registrations or changes to authentication methods
Conditional Access changes, security defaults disabled, or MFA policies weakened
New OAuth app consent or new enterprise application permissions that do not match business needs
Service account or shared mailbox interactive sign-ins that should never occur

Mailbox indicators (Exchange Online, Gmail)

New inbox rules that move mail to RSS, Archive, Deleted Items, or obscure folders
Auto-forwarding to external addresses or hidden forwarding configurations
Deleted sent items or suspicious use of mailbox delegation and Send As permissions
Search patterns focused on invoices, wire, bank, payment, ACH, payroll, or legal terms
Changes to signatures, reply-to addresses, or display name manipulation

Financial and workflow indicators

Urgent payment instructions, bank detail changes, or new payment destinations
Vendor requests to bypass normal approval or to use a different email address
Invoice PDFs that appear valid but include updated remittance information
Out-of-band confirmation resistance, pressure language, or secrecy requests

Fastest triage package: preserve the suspicious email, headers, timeline of events, and any sign-in alerts. For M365, export sign-in logs and audit logs if available. For Google Workspace, preserve investigation results and email logs.

Common BEC Fraud Scenarios

BEC is not one tactic. Most incidents fall into a few repeatable fraud categories. Understanding the scenario helps you decide what to contain and who to notify.

Invoice and wire diversion

Attackers impersonate a vendor or a trusted employee and request updated bank details. They often strike mid-thread with realistic context.

Payroll diversion

HR or payroll teams receive urgent requests to update direct deposit details. This often targets employees that are new or less likely to notice.

Executive impersonation

Impersonation of CEO, CFO, or an executive assistant to push urgent payments, gift cards, or sensitive data requests.

Vendor onboarding manipulation

Attackers target procurement and vendor onboarding. They insert themselves into workflows to become the payment destination.

Data theft and compliance exposure

Some BEC incidents focus on W-2, tax, legal, or customer data. This can trigger notification and regulatory obligations.

Conversation hijacking

Attackers reply from a real mailbox inside an existing thread. These are high-conviction attacks because the thread context is real.

Our Business Email Compromise Incident Response Approach

Lockard Security follows a structured BEC incident response process aligned with NIST 800-61. We focus on rapid containment, accurate identity and mailbox forensics, and controlled remediation that prevents repeat fraud. We preserve evidence needed for cyber insurance, legal counsel, and internal reporting.

1) Immediate containment

Revoke sessions, reset credentials correctly, remove attacker persistence, block forwarding, and isolate compromised identities. We also coordinate financial controls when fraud is suspected.

2) Identity and mailbox forensics

Analyze M365 and Entra ID sign-ins, audit logs, Exchange mailbox activity, and Google Workspace investigation data to determine scope and timeline.

3) Fraud scoping and recovery actions

Identify which vendors, invoices, payroll entries, or approvals were impacted. Assist with notifications, bank actions, and documentation for insurance workflows.

4) Threat removal and cleanup

Remove inbox rules, external forwarding, OAuth apps, suspicious delegations, and unauthorized admin changes. Confirm that access is fully removed and cannot persist.

5) Hardening and prevention

Implement practical controls across M365, Entra ID, and Google Workspace to prevent repeat compromise and to reduce the chance of vendor thread hijacking.

6) Reporting and executive readiness

Provide clear findings, timeline, and actionable recommendations. We also help build repeatable response playbooks so teams act decisively next time.

When you call us: we can guide containment immediately while we gather the evidence needed to confirm scope. If you suspect funds were sent, do not delay. Call 1 (833) 562-5273.

What Not To Do During A BEC Incident

Well-intentioned actions can destroy evidence or leave persistence in place. These are common mistakes that increase risk during business email compromise incident response.

Do not rely on a password reset alone. Sessions, tokens, OAuth apps, and forwarding rules can maintain access.
Do not delete mailboxes or purge threads immediately. Preserve evidence for scoping, recovery actions, and insurance or legal needs.
Do not continue communicating in the compromised thread. Move to a clean out-of-band channel for confirmation.
Do not disable logging mid-incident. Keep audit and sign-in logs available and export what you can.
Do not change payment details without verification. Always confirm via a known phone number or validated vendor portal.

Simple rule: preserve first, contain second, remediate third. If you do this out of order, the attacker can persist or you can lose the timeline.

Hardening Checklist And Best Practices For BEC Prevention

BEC prevention is a layered approach across identity, email controls, and financial workflows. The checklist below focuses on controls that consistently reduce risk.

Microsoft 365 and Entra ID hardening

Enforce MFA for all users and require phishing-resistant MFA for privileged accounts where possible
Enable and monitor Conditional Access policies for risky sign-ins and new device enrollment
Disable legacy authentication protocols and restrict IMAP/POP where not required
Alert on new OAuth app consent and restrict user consent where feasible
Monitor and alert on mailbox forwarding, inbox rules, and delegation changes

Google Workspace hardening

Enforce MFA and review authentication methods and recovery settings
Monitor logins, suspicious sign-in events, and admin console changes
Restrict third-party app access and review OAuth scopes regularly
Alert on forwarding changes, filters, and mailbox rule updates
Use investigation tools to review message routing and suspicious activity

Financial workflow safeguards

Require out-of-band verification for bank detail changes using a known and validated contact method
Implement dual approval for vendor remittance changes and high-value payments
Train AP and payroll teams on conversation hijacking and invoice manipulation indicators
Use vendor portals and signed change requests where possible

If you want a practical plan, Lockard Security can turn this checklist into a prioritized roadmap based on your current M365 or Google Workspace configuration, staffing, and business workflows.

Tabletop Exercises And BEC Simulation Training

Tabletop exercises reduce confusion and speed up decision-making when a real BEC incident occurs. A good BEC tabletop covers technical containment steps, finance coordination, legal and insurance escalation, and internal and external communications.

What a strong BEC tabletop validates

Who can revoke sessions, who can disable forwarding, who contacts banks, who manages executive comms, and what evidence must be preserved.

Why organizations benefit

Faster containment, lower fraud losses, clearer escalation, better insurance documentation, and fewer repeat incidents.

Lockard Security can facilitate a BEC tabletop exercise or help you build a repeatable playbook for Microsoft 365, Entra ID, and Google Workspace response actions.

Business Email Compromise Incident Response FAQ

How do we know if a mailbox is still compromised?

You confirm by reviewing sign-in logs, session status, mailbox rules, forwarding, OAuth app access, and delegation changes. A password reset alone does not confirm removal. We validate access removal using identity and email telemetry, then re-check after remediation.

What should we preserve for investigation?

Preserve suspicious emails and headers, sign-in logs, audit logs, mailbox rules, forwarding settings, OAuth application details, and key timestamps. If fraud is involved, preserve payment instructions, bank account changes, and communications with vendors and finance teams.

Should we notify vendors or customers?

It depends on scope and whether the attacker used your identity to target others. Our role is to help you confirm impact, contain the attack, and support decision-making with leadership and counsel based on evidence.

How fast can Lockard Security help?

If you have active compromise indicators or suspected fraud, call the hotline. We can triage immediately and guide containment while we start evidence collection.

24/7 Business Email Compromise Incident Response Help

If your organization is dealing with business email compromise, suspected mailbox takeover, invoice fraud, payroll diversion, or vendor impersonation, contact us immediately. Fast containment often reduces fraud loss and prevents repeat compromise.

24/7 Emergency Hotline: 1 (833) 562-5273
Email: [email protected]
Request Business Email Compromise Incident Response

If you are still in the suspicious stage, we can help validate whether you are seeing pre-fraud indicators and stop BEC before money moves.