๐ง Business Email Compromise Response Quickstart
Time-boxed response path for business email compromise incidents. Prioritises halting fraudulent financial transactions, revoking cloud sessions, identifying impersonation tactics, and preserving email evidence chains for potential law-enforcement referral.
First 15 Minutes
0/4Examine the BEC email to determine the impersonation technique: display-name spoofing, look-alike domain, compromised legitimate account, or reply-chain hijacking. Extract full email headers to identify the true sending infrastructure and compare against the impersonated party. Determine whether this is an external impersonation or an internal account compromise, as the response strategy differs significantly between the two scenarios.
Determine all recipients who received the BEC email and assess which users engaged with it by checking mailbox audit logs for read receipts, replies, and forwarding actions. BEC attacks typically target finance, HR, and executive-assistant roles with urgent requests involving wire transfers, gift-card purchases, or payroll changes. Identifying who interacted with the email determines the urgency of financial-transaction review and account lockdown.
If the BEC originated from a compromised internal account, immediately revoke all active sessions and refresh tokens for that account via Azure AD. This terminates any attacker sessions currently using the account to send additional fraudulent emails, read sensitive communications, or modify mailbox rules. Even if the account password is reset, existing OAuth tokens and refresh tokens remain valid until explicitly revoked.
Immediately contact the finance team and banking partners to halt, reverse, or freeze any wire transfers, ACH payments, or other financial transactions initiated as a result of the BEC email. Time is critical: most financial institutions can recall wire transfers within 24-72 hours, but success rates drop dramatically after that window. Document all transaction details including amounts, beneficiary accounts, and routing numbers for law-enforcement referral.
First 60 Minutes
0/4Export the Unified Audit Log for the compromised account and all targeted recipients covering 7 days before the BEC event to the present. Focus on mail-send operations, mailbox-rule modifications, file access and downloads, and admin-role changes. BEC operators often lurk in a compromised mailbox for days or weeks studying communication patterns before launching their fraud attempt, so historical data is essential.
BEC attackers routinely create inbox rules to intercept replies, hide security notifications, and maintain covert control of the compromised mailbox. Enumerate all inbox rules using Get-InboxRule and the mailbox audit log, paying special attention to rules that delete or redirect messages containing financial keywords, move messages to obscure folders like RSS Subscriptions, or forward to external addresses. Remove any malicious rules immediately.
Examine Azure AD sign-in and audit logs for the compromised account to establish the attacker timeline. Look for sign-ins from anonymizing infrastructure (VPNs, Tor), unfamiliar geographies, or non-standard user-agent strings. Check whether the attacker registered new MFA devices, modified security settings, or granted themselves additional roles. Understanding the full scope of Azure AD compromise prevents the attacker from maintaining persistent access.
Preserve the complete email conversation chain including the original BEC email, all replies from victims, and any follow-up messages from the attacker. Place litigation holds on all involved mailboxes and export the relevant emails in EML format with full headers for forensic analysis and potential FBI IC3 or law-enforcement submission. BEC cases frequently involve legal proceedings, so evidence integrity and chain of custody are paramount.
First 4 Hours
0/4Capture a point-in-time snapshot of the Azure AD tenant configuration including conditional-access policies, app registrations, enterprise applications with consented permissions, global admin role assignments, and federation settings. BEC actors with sustained access may modify tenant-level settings to create backdoors or weaken security controls. Comparing the current state against a known-good baseline reveals unauthorized configuration changes.
Review all OAuth application registrations and consented permissions in the Azure AD tenant, focusing on apps granted after the estimated compromise date. BEC actors increasingly use OAuth consent-phishing to maintain persistent access that survives password resets. Look for apps with Mail.Read, Mail.Send, or Files.ReadWrite.All permissions that were consented by the compromised user. Revoke suspicious app permissions and delete unauthorized app registrations.
Perform a complete credential remediation for all compromised accounts: reset passwords, revoke all refresh tokens, remove and re-enroll MFA devices, and disable any app passwords. If the BEC actor had access to a privileged account, rotate credentials for service accounts and service principals that the compromised account could access. Ensure that the new credentials are communicated through an out-of-band channel, not through the previously compromised email.
Compile a comprehensive incident report documenting the attack timeline, impersonation technique, financial impact, compromised accounts, attacker infrastructure, and remediation actions taken. Include recommendations for preventive controls such as anti-spoofing policies, external-email banners, payment-verification procedures, and conditional-access improvements. This report serves leadership decision-making and supports FBI IC3 or law-enforcement filings if financial losses occurred.
DFIR Assist โ Business Email Compromise Response Quickstart Quickstart | Printed 3/1/2026