AD6.4 Business Email Compromise Response

BEC indicators during investigation

When you execute AD6.2 for a compromised account, check for these BEC-specific indicators:

Inbox rules targeting financial terms. Rules forwarding emails matching "invoice," "payment," "wire," "transfer," "bank," "account," or specific vendor names. These rules route financial communications to the attacker while hiding them from the user.

Connect-ExchangeOnline
$user = "r.williams@northgateeng.com"

# Check for financial-keyword inbox rules
Get-InboxRule -Mailbox $user | Where-Object {
    $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage
} | Select-Object Name, @{N="Forward";E={$_.ForwardTo}},
    @{N="Redirect";E={$_.RedirectTo}},
    @{N="Delete";E={$_.DeleteMessage}},
    @{N="Conditions";E={$_.SubjectContainsWords -join ", "}} | Format-List

Sent emails from the compromised mailbox. Check whether the attacker sent emails impersonating the user. Common BEC patterns: emails to finance requesting urgent payment changes, emails to vendors requesting bank detail updates, emails to clients redirecting payment to new accounts.

# Check sent emails during the compromise period
Get-MessageTrace -SenderAddress $user `
    -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) |
    Where-Object { $_.RecipientAddress -notmatch "@northgateeng.com" } |
    Select-Object Received, RecipientAddress, Subject | Format-Table -AutoSize

Look for external emails sent during the compromise window — especially to finance departments, accounting firms, or vendors. If the attacker sent emails from the compromised mailbox, the recipients believe those emails are from the legitimate user.

Read activity during non-business hours. Check the mailbox audit log for email read activity during the attacker's session:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
    -UserIds $user -Operations "MailItemsAccessed" -ResultSize 100 |
    Select-Object CreationDate, Operations,
        @{N="ClientIP";E={($_.AuditData | ConvertFrom-Json).ClientIPAddress}} |
    Format-Table -AutoSize

BEC-specific response steps (in addition to AD6.2)

After completing the 5-step AD6.2 procedure, execute these additional BEC steps:

Step 6 — Notify finance team. Contact your finance director or accounts payable team immediately: "User [name]'s email was compromised. The attacker may have read financial communications and may attempt to redirect payments. Do not process any payment changes received via email from [name] or from vendors — verify all payment changes by phone using known contact numbers (not numbers from the email)."

This notification is urgent because the attacker may have already sent a payment redirect email that's sitting in the finance team's inbox waiting to be processed. The notification needs to reach finance BEFORE they act on any suspicious payment instruction.

Step 7 — Identify forwarded emails. Check message trace to determine which emails were forwarded to the attacker's external address:

# Find emails forwarded by the inbox rule
Get-MessageTrace -SenderAddress $user `
    -StartDate (Get-Date).AddDays(-14) -EndDate (Get-Date) |
    Where-Object { $_.RecipientAddress -match "external-attacker@" } |
    Select-Object Received, Subject, RecipientAddress | Format-Table -AutoSize

Each forwarded email tells you what the attacker knows: vendor names, invoice amounts, payment schedules, bank details. This is the data the attacker uses to craft the payment redirect request.

Step 8 — Notify affected vendors and clients. If forwarded emails contained vendor invoices, bank details, or payment instructions, notify those vendors: "Our email system was compromised. If you receive any payment change requests or bank detail updates from us, verify by calling [phone number] before processing." This prevents the attacker from using the stolen information to redirect payments from the vendor's side.

Step 9 — Check for sent fraud emails. Review the sent items and message trace for emails the attacker sent from the compromised mailbox. If the attacker sent a payment redirect email to your finance team or to a vendor, that email is the active fraud attempt — it needs to be communicated to the recipients immediately as fraudulent.

Step 10 — Legal and law enforcement. If financial fraud occurred (money was transferred), contact legal counsel immediately. Report to Action Fraud (UK) at actionfraud.police.uk or call 0300 123 2040. If the transfer happened within 24-48 hours, contact the bank urgently — some transfers can be frozen or recalled if reported quickly.

The finance team notification template

When you notify your finance team, be specific and actionable. Don't send a vague "be careful" message — provide exactly what to look for:

Template (email or Teams to Finance Director):

"URGENT — Security Incident Notification

User [name]'s email account was compromised between [date] and [date]. During this period, the attacker had access to emails including vendor invoices and payment communications.

Immediate action required:

• Do NOT process any payment changes, bank detail updates, or invoice modifications received via email from [user name] or from our vendors during the last [X] days without phone verification
• If you have already processed a payment change or bank detail update in the last [X] days, contact me immediately — the change may be fraudulent
• Verify all payments over £[threshold] by calling the vendor directly using phone numbers from your existing records (not from the email)

What was accessed:

• [X] vendor invoices were forwarded to an external address
• Vendors affected: [vendor names]
• Bank details visible: [yes/no]

I will provide a full incident report by [time]. If you have questions, call me at [phone]."

This notification gives finance everything they need: what happened, what to do, what to watch for, and how to verify. The call to action is clear and specific — not a general warning.

The vendor notification call script

Call (don't email) each affected vendor:

"Hello, this is [your name] from Northgate Engineering. I'm calling because our email system was briefly compromised, and we believe that some of our email correspondence with you — including invoices — may have been accessed by an unauthorized party. We have secured our systems.

I'm calling to warn you: if you receive any email from us requesting a change to our bank details or payment instructions, please verify by calling this number before making any changes. Our legitimate bank details are [confirm or offer to verify separately].

Additionally, your bank details from invoices you sent to us may have been exposed. We recommend you watch for any unusual activity on the account referenced in those invoices.

I apologise for the inconvenience. If you have any questions, please call me directly at [phone]."

This call takes 3 minutes per vendor. For 5 affected vendors, that's 15 minutes — a small investment to prevent a £50,000 payment redirect. Call all affected vendors within 4 hours of confirming the BEC.

Insurance considerations

If your organization has cyber insurance, notify the insurer as part of the BEC response. Most cyber insurance policies require notification within 48-72 hours of discovering a covered event. BEC with financial loss is typically a covered event. Even without financial loss, the compromise itself may trigger notification requirements under the policy.

Check your cyber insurance policy for: notification contact details, notification timeframe, what constitutes a "covered event," and what documentation is required. Include "check cyber insurance notification requirements" as a step in your escalation process.

The vendor notification call script

When calling vendors whose invoices were forwarded, use this script:

"Hi [vendor contact], this is [your name] from Northgate Engineering. I'm calling about a security matter. Our email system was recently compromised, and we've identified that some emails between us — including invoices — may have been accessed by an unauthorized party. This means someone outside our organization may have seen your bank details and invoice information. I want to warn you: if you receive any email from us requesting changes to payment details, bank accounts, or payment methods, please verify by calling us directly at [your known number] before making any changes. The attacker may use the information they obtained to send fraudulent payment requests. Our IT team has contained the incident and secured the affected account. I'm calling each affected vendor directly to ensure you're aware and protected."

This call takes 3 minutes per vendor. For 5 affected vendors, that's 15 minutes. The call prevents the attacker from using the stolen invoice data to redirect the vendor's payments — which is the attacker's ultimate goal and the financial loss you're trying to prevent.

Building the payment verification procedure

After a BEC incident, implement a standing payment verification procedure with your finance team:

The rule: Any request to change payment details — bank account, sort code, routing number — for any vendor or employee must be verified by phone before processing. The verification call must use a phone number from the organization's contact database — NOT a phone number from the email requesting the change (the attacker may include their own phone number in the fraud email).

Implementation: Send this to the finance director and accounts payable team: "Following the recent security incident, we're implementing a mandatory payment verification procedure. All payment detail changes received via email must be verified by a phone call to the requesting party before processing. Use the phone number in our vendor database — not the number in the email. This applies to: new vendor bank details, changes to existing vendor bank details, changes to employee payment details, and any urgent or unusual payment requests."

This procedural control costs nothing, takes 2 minutes per verification, and prevents the specific financial fraud that BEC is designed to achieve. Many organizations only implement this procedure AFTER losing money to a BEC fraud — implementing it proactively (or immediately after a BEC attempt) is significantly cheaper.