Playbooks
T1566, T1114, T1098, T1586Business Email Compromise Response
A response playbook for suspected business email compromise, including mailbox review, payment containment, reporting, and follow-up controls. Includes detection Event IDs, KQL/SPL queries, and triage workflows.
View on Graph
Confirm The Scenario
- Business email compromise usually abuses trust: an attacker impersonates or compromises a business email account to redirect payments, change invoice details, or pressure employees into urgent financial action.
- First determine whether the mailbox was actually compromised or only spoofed.
Spoofing vs. Account Takeover — How to Tell
| Indicator | Spoofing (no compromise) | Account Takeover (compromised) |
|---|---|---|
| SPF/DKIM/DMARC | Fails — sending server not authorized | Passes — sent from legitimate infrastructure |
| Sent Items | No evidence in Sent Items | Malicious emails appear in Sent Items |
| Inbox rules | No rule changes | Suspicious forwarding/deletion rules created |
| Sign-in logs | No unusual sign-ins from the account | Sign-in from unfamiliar IP, location, or device |
| MFA prompts | User did not receive MFA prompts | User received and may have approved unexpected MFA prompts |
| Reply chain | Email is “from” executive but Reply-To is attacker | Email is actually from the compromised account |
Detection — Event IDs and SIEM Queries
Detect Inbox Rule Creation (Event ID for Exchange/O365)
SPL query — detect suspicious inbox rules:
index=o365 sourcetype="Office365" Operation="New-InboxRule" OR Operation="Set-InboxRule"
| search Parameters IN ("*ForwardTo*", "*RedirectTo*", "*DeleteMessage*", "*MoveToFolder*", "*MarkAsRead*")
| eval alert = "HIGH — inbox rule created by " . UserId . " — " . Parameters
| table _time, UserId, ClientIPAddress, Parameters, alertKQL query (Microsoft 365 Defender) — detect inbox forwarding rules (see the KQL guide for syntax):
EmailEvents
| where Timestamp > ago(7d)
| where EmailAction != "Delivered"
| summarize ForwardingCount = count() by RecipientEmailAddress, SenderFromAddress, LatestTimestamp = max(Timestamp)
| where ForwardingCount > 5
| project RecipientEmailAddress, SenderFromAddress, ForwardingCount, LatestTimestampDetect Mailbox Access from Unusual Location
SPL query — detect mailbox login from unusual geo-location:
index=o365 sourcetype="Office365" Operation="MailboxLogin"
| iplocation ClientIPAddress
| stats count, values(Country) as Countries by UserId, ClientIPAddress
| where mvcount(Countries) > 1
| eval alert = "MAILBOX ACCESS — " . UserId . " accessed from multiple countries: " . mvjoin(Countries, ", ")
| table _time, UserId, ClientIPAddress, Countries, count, alertDetect Inbox Forwarding (Event ID E5 Audit Log)
SPL query — detect auto-forwarding rule creation:
index=o365 sourcetype=Office365 Operation="Set-Mailbox"
| search Parameters="*ForwardingSmtpAddress*"
| eval alert = "CRITICAL — mailbox forwarding enabled for " . UserId . " to " . Parameters
| table _time, UserId, ClientIPAddress, Parameters, alertContain Money And Access
Immediate Actions — Within Minutes
- Contact the financial institution immediately and request a recall or fraud hold if a transfer occurred. Speed is critical — wire recall is time-limited (often 24-72 hours).
- Secure the account — reset credentials, revoke all sessions, remove malicious forwarding or inbox rules, review and revoke OAuth app permissions, enforce MFA where missing.
- Block the attacker’s IP/domain at the email gateway and firewall.
- Preserve evidence — capture message headers, timestamps, recipient lists, payment details, and screenshots before deleting anything.
- Notify the intended recipient — confirm they did not act on the fraudulent instructions.
Credential and Session Cleanup
For a compromised O365/Exchange account:
# Revoke all refresh tokens
Revoke-AzureADUserAllRefreshToken -ObjectId user@domain.com
# Force password reset
Reset-MsolUserPassword -UserPrincipalName user@domain.com
# Remove OAuth grants
Get-AzureADUserOAuth2PermissionGrant -ObjectId user@domain.com | Remove-AzureADUserOAuth2PermissionGrant
# Check for Teams/PSTN abuse
Get-CsUserCallingSettings -Identity user@domain.comInbox Rule Check Commands
# Connect to Exchange Online
Connect-ExchangeOnline
# Check all inbox rules
Get-InboxRule -Mailbox compromised@domain.com | Format-List Name, Description, ForwardTo, RedirectTo, DeleteMessage, MoveToFolder
# Remove malicious rules
Remove-InboxRule -Mailbox compromised@domain.com -Identity "RuleName"
# Check forwarding settings
Get-Mailbox -Identity compromised@domain.com | Select ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForwardReport And Prevent Recurrence
External Reporting
- IC3 (FBI Internet Crime Complaint Center): File a report at
ic3.gov— include all evidence (emails, transaction details, communication timeline). Share indicators with MISP for community threat intel. - CISA: Notify via
report@cisa.govif it affects critical infrastructure - Financial fraud reporting: Contact your bank’s fraud department AND the recipient bank’s fraud department
Internal Actions After Containment
- Verify email authentication records: Check SPF, DKIM, DMARC configuration. Are they properly enforced (DMARC p=reject) or only monitoring?
- Review payment-change procedures: All bank detail changes should require multi-person approval and out-of-band verification (phone call to a known number).
- Educate finance staff: Conduct training on urgency-based fraud, unusual payment requests, and the importance of calling the requester on a known number before wiring funds.
- Implement compensating controls: Require dual approval for wire transfers > $X, flag emails from executives with unusual language patterns (NLP-based email security), implement payment verification workflows.
Post-Incident Review Template
| Question | Answer | Action Item |
|---|---|---|
| Spoofing or account takeover? | ||
| Was MFA enforced? | ||
| How was the initial compromise detected? | ||
| How much time between compromise and detection? | ||
| Was financial loss incurred? Amount? | ||
| Was the loss recovered? | ||
| What gaps allowed the attack? (DMARC, no MFA, weak payment process) |
Detection Summary — Key Event IDs for BEC
| Event ID / Log | What It Detects | Where to Check |
|---|---|---|
| New-InboxRule / Set-InboxRule | Suspicious inbox rule creation (forward, delete, move) | O365/Exchange Admin Audit Log |
| Set-Mailbox | Mailbox forwarding enabled | O365/Exchange Admin Audit Log |
| MailboxLogin | Mailbox access from unusual geo-location | Azure AD Sign-in Logs |
| 4624 | Windows logon from unusual account (if BEC linked to lateral movement) | Windows Security Event Log |
| 4728/4732 | Privileged group changes (BEC often leads to privilege escalation) | Windows Security Event Log |
| 4657 | Registry modification — OAuth consent registration | Windows Security + Sysmon |
| Azure AD Sign-in Event | MFA push denied flood, impossible travel | Azure AD Sign-in Logs |
Related
- Initial Access Response — detection and response for T1566, T1190, T1189, T1133 techniques
- Phishing Triage — detection and response for T1566 techniques
- Active Directory Basics — covers the active directory basics concepts
- Kill Chain — covers the kill chain concepts
- Log Sources Overview — covers the log sources overview concepts