What causes Business Email Compromise / mailbox takeover?

Phished credentials + non-FIDO MFA bypass (token theft, MFA fatigue) • OAuth illicit consent (less common in BEC, more in data theft) • Reused password from external breach

How do I resolve Business Email Compromise / mailbox takeover?

Cut off attacker access (password, MFA, sessions, rules) • Establish blast radius (recipients, financial impact) • Notify affected parties and regulators if PII involved • Implement compensating controls (FIDO2, anti-spoofing, finance verification)

How do I prevent Business Email Compromise / mailbox takeover?

FIDO2 for accounts with finance / payroll authority • DMARC at p=reject; enable anti-impersonation in Defender • Out-of-band verification for any payment detail change • Mailbox audit logging on by default • User reporting button (Report Phish) for self-defence

P1 · Cyber Incident Response

Business Email Compromise / mailbox takeover

Attacker has access to a mailbox and is sending fraudulent emails (invoice redirects, supplier impersonation). Containment + invoice protection + notification.

Indicators

User reports they can't see emails the recipient has — hidden folder rules
Replies to legitimate threads from spoof / lookalike domains
Inbox rules forwarding to external address or moving to RSS/Notes
Mail sent at unusual hours, often deleted from Sent
Customer reports fraudulent invoice with changed bank details

Likely causes

Phished credentials + non-FIDO MFA bypass (token theft, MFA fatigue)
OAuth illicit consent (less common in BEC, more in data theft)
Reused password from external breach

Diagnostic steps

Reset compromised user's password and revoke all sessions: Revoke-MgUserSign-InSession (Graph) or 'Sign out from all sessions' in admin portal
Re-enrol MFA from clean device — kill any rogue authenticator entries
Audit and remove malicious inbox rules: Get-InboxRule -Mailbox <user>; document before deleting
Check Sent / Deleted / RSS / Conversation History for the attacker's outbound emails. Recover via single-item recovery if within retention
Notify any recipients of attacker emails — especially suppliers / customers receiving fake invoice
Customer or supplier already paid attacker bank details? Notify Action Fraud and the customer's bank within hours

Resolution path

Cut off attacker access (password, MFA, sessions, rules)
Establish blast radius (recipients, financial impact)
Notify affected parties and regulators if PII involved
Implement compensating controls (FIDO2, anti-spoofing, finance verification)

Prevention

FIDO2 for accounts with finance / payroll authority
DMARC at p=reject; enable anti-impersonation in Defender
Out-of-band verification for any payment detail change
Mailbox audit logging on by default
User reporting button (Report Phish) for self-defence

Tools

Exchange admin centre — Audit log search, Message trace
PowerShell ExchangeOnlineManagement: Get-InboxRule, Get-MailboxAuditLogs
Entra portal — Revoke sessions, MFA registration audit
Microsoft Defender for Office 365 — submissions and threat explorer

References

NCSC — Phishing and BEC guidance
Action Fraud — UK reporting
Microsoft Learn — Respond to a compromised email account

becmailbox-compromisephishingexchange-onlinefraud