BIPI
BIPI

Business Email Compromise: The Investigation Flow That Catches Wire Fraud Before It Settles

Cybersecurity

BEC is the cheap, profitable, low-skill incident that drains millions from finance teams every month. We cover the investigation flow from mailbox rule analysis to OAuth review to the legal-and-insurance steps the wire-fraud variant requires.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 26, 2024 · 8 min read

#bec#email-security#investigation

BEC is unglamorous and devastatingly effective. No malware, no zero-day, no infrastructure beyond a stolen session. The attacker logs in as a finance lead, reads pending invoices, replies from the real account with new banking details, and the wire goes to the wrong place. The investigation is straightforward when you know what to pull.

Initial signals

The signals are usually a phone call from the supplier asking why the wire is late, an unusual mailbox rule discovered during a routine review, or an MFA fatigue alert from a finance user. By the time finance calls, the wire has often left. Speed matters. The first action is to engage the bank, not to start forensics. Bank fraud recovery has a window measured in hours.

Mailbox rule analysis

Mailbox rules are how BEC attackers hide the conversation. They create rules that move messages from the supplier or from internal accounting to RSS Feeds, Conversation History, or a folder named with a single character. The user does not see the messages, the attacker handles them, the conversation continues. Pull every inbox rule for the affected user with Get-InboxRule in Exchange Online, or the equivalent in Workspace. Look for rules created in the last 90 days that move based on sender, subject, or keyword.

  • Inbox rules sorted by creation date, look for anything since the suspected compromise
  • Forwarding addresses set on the mailbox (Set-Mailbox -ForwardingAddress)
  • Delegate access granted to any other account, especially external
  • Folder-level permissions that allow another account to read mail directly

Sign-in and MFA log review

Pull every sign-in for the user across 90 days, with IP, user-agent, MFA result, and authentication method. The compromise event is usually visible as a sign-in from a new country, often using a residential proxy. Look at the MFA prompts during the suspect window: how many were sent, how many were approved, how many were denied. The AiTM-style attack often shows a single successful MFA followed by token reuse from a new location. The classic fatigue attack shows dozens of prompts and one accidental approval.

OAuth and connected apps

After session theft, attackers often grant a malicious OAuth app to themselves to survive password reset. Review every OAuth grant the user has approved, especially within the suspect window. Mail.Read, Mail.Send, and Mail.ReadWrite are the permissions to watch for. In Workspace, the OAuth tokens audit log shows every grant with timestamp and IP. Revoke anything you do not recognize, and document the revocation in the incident timeline.

  1. Disable the compromised account to halt active sessions
  2. Revoke all refresh tokens (Revoke-AzureADUserAllRefreshToken or Workspace equivalent)
  3. Delete all malicious inbox rules and forwarding entries
  4. Revoke OAuth grants for any unrecognized application
  5. Reset password and force MFA re-enrollment from a clean device
  6. Review every email sent from the account during the suspect window

The wire-fraud variant: legal and insurance

If money moved, the incident is no longer just a security incident. It is a financial crime. Notify counsel before issuing public statements. File a complaint with IC3 (the FBI's Internet Crime Complaint Center) the same day. Engage cyber insurance under the social engineering coverage if you have it, and crime coverage if you do not. The two policies differ in what they cover, and most policies have a sub-limit for social engineering loss that is well below the cyber policy limit. Read the policy before the incident, not during.

Scope: who else got the same email

BEC rarely targets one person. The same phishing infrastructure usually targets a whole finance department. Pull the message trace for inbound mail from the phishing sender, identify everyone who got it, identify everyone who clicked. The clicks reveal additional accounts at risk. Then pull sign-ins for those accounts. The investigation expands and so does the response.

What the post-incident review should change

  • Mandatory call-back verification for any bank detail change, no exceptions, no email-only approvals
  • Phishing-resistant MFA (FIDO2 hardware keys) for finance, accounts payable, and any signing authority
  • Email banner that flags external senders, especially those spoofing internal display names
  • Quarterly review of OAuth grants in the tenant, with anything new flagged for owner approval
  • Tabletop the wire-fraud scenario annually with finance, legal, and the bank relationship manager
BEC is the incident type with the fewest technical surprises and the most procedural failures. The fix is process, not tooling.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.