Mastering Immunity: From Vulnerable to Resilient, Transforming Your Organizations Defense Against Business Email Compromise Schemes in 90 Days

Under Attack? Your Successful Defense Against Business Email Compromise Schemes Response Plan (Step-by-Step)

Your digital footprint is evidence. Learn how family law courts use it.

Whether you are an SMB without a dedicated security operations center or a mid-market firm strengthening existing controls, this framework translates directly into action.

Incident Response Framework

Based on NIST SP 800-61 Incident Response lifecycle:

1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity

Phase 1: Preparation (Before the Incident)

• Incident Commander: Owns decision authority for containment actions, escalation, and external communications. Typically the CISO or IT Director. Authorizes financial holds and account lockouts.
• Security Analyst: Leads email header analysis, log forensics, and IOC correlation. Investigates mailbox rules, forwarding changes, and OAuth token abuse.
• IT Operations: Executes containment—disabling accounts, revoking sessions, modifying mail flow rules, and resetting credentials across identity providers.
• Communications: Manages internal staff alerts, executive briefings, and external messaging to clients or partners who may have received fraudulent emails.
• Finance Lead: Verifies payment requests through out-of-band channels, freezes pending wire transfers, and liaises with banking partners on fraudulent transaction reversal.

Tools and Resources

• Forensic tools: Email header analyzers (MXToolbox, Google Admin Toolbox), Microsoft Purview eDiscovery or Google Vault for mailbox forensics, PhishTool for URL detonation
• Communication channels: Out-of-band communications via Signal, personal mobile phones, or a dedicated Slack workspace not tied to corporate SSO—BEC actors may control corporate email
• Documentation templates: Incident log with timestamped entries, evidence chain-of-custody forms, financial transaction tracking sheets

Detection Capabilities

Ensure you can detect business email compromise incidents before they succeed:

• SIEM rules for impossible travel logins, mail forwarding rule creation, inbox rule modifications targeting keywords like "invoice," "payment," or "wire"
• Email security gateway configured with DMARC enforcement, SPF hard-fail, and DKIM validation; alerts on display-name spoofing and lookalike domain registration
• Conditional Access policies requiring MFA for all email access, blocking legacy authentication protocols (IMAP, POP3, SMTP AUTH)
• Dark web monitoring for executive credential exposure on breach databases

Phase 2: Detection and Analysis

Initial Detection

How you will know a BEC attempt is underway:

• An employee reports a suspicious email requesting urgent payment, gift card purchase, or credential entry
• Email security gateway flags a message with a lookalike domain (e.g., company-inc.com vs. companyinc.com)
• SIEM alerts on a new inbox rule forwarding all email to an external address
• Microsoft Defender or Google Workspace alerts on suspicious OAuth application consent
• Finance flags a wire transfer request that bypasses normal approval workflows

Triage and Validation

Is this a real incident? Validate by:

1. Examine email headers for origin IP, SPF/DKIM/DMARC pass/fail, and return-path discrepancies
2. Check the sending domain against WHOIS records—BEC domains are often registered within 48 hours of the attack
3. Search mailbox audit logs for unauthorized access, rule creation, or delegate permissions added

Severity classification for BEC incidents:

• High: Compromised credentials confirmed, inbox rules modified, but no financial transaction initiated — Response: Within 1 hour
• Medium: Phishing email delivered and opened, but no credential submission or malicious action taken — Response: Within 4 hours
• Low: Phishing email caught by gateway, no user interaction — Response: Within 24 hours, update block lists

Initial Investigation

Evidence collection (preserve before containment!):

1. Capture the original email with full headers (export as .eml, not screenshot)
2. Export mailbox audit logs:

Microsoft 365: Search unified audit log

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -UserIds compromised@company.com -Operations "New-InboxRule","Set-InboxRule","UpdateInboxRules","MailboxLogin" # Export sign-in logs for the affected account Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'compromised@company.com'" -Top 100

1. Document all inbox rules currently active on affected accounts, especially those forwarding, deleting, or moving messages
2. Capture OAuth/app consent logs to identify malicious applications granted mailbox access
3. Chain of custody: Log who accessed what evidence, when, and store copies in a write-protected location

Analysis questions specific to BEC:

• Was the email sent from a spoofed domain, a compromised vendor account, or the organization's own compromised mailbox?
• Have any mail forwarding rules been created to exfiltrate ongoing correspondence?
• Were financial transactions requested, and if so, have any been executed?
• How many recipients received the fraudulent message?
• Is this an isolated phishing attempt or part of a broader vendor email compromise chain?

Phase 3: Containment, Eradication, and Recovery

Short-Term Containment

Immediate actions—minutes matter for wire recall:

1. Disable compromised accounts and revoke all active sessions and refresh tokens:

Microsoft 365: Revoke sessions

Revoke-MgUserSignInSession -UserId "compromised@company.com" # Reset password and enforce MFA re-registration Update-MgUser -UserId "compromised@company.com" -PasswordProfile @{ForceChangePasswordNextSignIn=$true}

1. Remove malicious inbox rules forwarding email to external addresses
2. Block attacker IOCs: Add lookalike domains to your email gateway block list, block sender IPs at the firewall, and add malicious URLs to your web proxy deny list
3. Notify targeted recipients internally—instruct them not to respond, click links, or process any financial requests from the compromised thread

Long-Term Containment

• Implement conditional access policies restricting email access to managed devices and compliant locations
• Deploy a banner warning on all external emails ("This message originated outside your organization")
• Engage your email security vendor to tune anti-impersonation policies based on observed TTPs

Eradication

1. Audit all mailbox rules, delegates, and OAuth applications organization-wide—not just the affected account
2. Remove any attacker-created mail flow rules at the transport level
3. Revoke consent for any suspicious third-party applications
4. If a vendor's email was compromised, notify them and quarantine all messages from their domain until they confirm remediation
5. Verify DMARC policy is set to p=reject for your domain to prevent spoofing of your brand

Recovery

1. Re-enable the affected account with fresh credentials, enforced MFA, and monitored access
2. Review and re-verify any financial transactions processed during the compromise window
3. Re-establish trust with impacted vendors or clients through direct phone verification of banking details
4. Monitor the affected mailbox with enhanced logging for 30 days post-recovery
5. Conduct a targeted phishing simulation for affected departments within two weeks

Phase 4: Post-Incident Activity

Lessons Learned Meeting

• Complete attack timeline from initial phishing email to detection to containment
• Whether existing email security controls (DMARC, MFA, anti-impersonation) functioned as expected
• Time-to-detection and time-to-containment metrics
• Whether the financial recall process worked, and if not, where delays occurred
• Specific action items with owners and deadlines

Incident Report

Document for executive leadership: total financial exposure (recovered vs. lost), number of accounts compromised, root cause (credential phishing, session hijacking, vendor compromise), and regulatory notifications completed.

Remediation and Hardening

• Enforce phishing-resistant MFA (FIDO2 keys or certificate-based authentication) for all finance and executive accounts
• Implement dual-authorization for all wire transfers above a defined threshold
• Deploy a verified callback procedure for any banking detail changes from vendors
• Update this playbook based on lessons learned and conduct a tabletop exercise quarterly

Legal and Regulatory Considerations

• FBI IC3: File a complaint at ic3.gov immediately for any financial loss
• Regulatory bodies: Notify as required—SEC for material events, state attorneys general if consumer PII was exposed
• Evidence preservation: Maintain all email artifacts, logs, and financial records under litigation hold

External Resources

• NIST SP 800-61 Computer Security Incident Handling Guide
• CISA Incident Response Resources
• SANS Incident Handler's Handbook
• FBI IC3 Business Email Compromise Advisory