Module 13: Investigating BEC and Financial Fraud
Business email compromise causes more financial damage than ransomware. The FBI’s IC3 reports BEC losses exceeding $2.7 billion annually in the US alone — dwarfing every other cybercrime category. The attack does not require malware, does not trigger endpoint alerts, and often leaves no trace in security tools until the money is gone. It is a human-targeted attack executed entirely through legitimate email functionality.
Module 12 taught you to investigate AiTM credential phishing — the initial access technique that frequently enables BEC. This module picks up where the attacker left off: they have a compromised mailbox, they are reading email, and they are preparing to steal money.
The scenario in this module is based on real BEC patterns observed in production M365 environments. The attacker compromises an Accounts Payable clerk’s mailbox, monitors vendor payment threads, creates inbox rules to intercept replies, and sends a fraudulent payment diversion email impersonating a legitimate vendor. Every investigation step, every KQL query, and every containment action is drawn from operational experience.
What you will build during this module
BEC Investigation Playbook. Step-by-step decision tree from initial alert through email thread analysis, financial impact assessment, containment, evidence preservation for law enforcement, and reporting. Binary decision points: “if the payment was sent, do X; if intercepted, do Y.”
6 BEC Detection Rules. KQL analytics rules covering: inbox rule creation with keyword targeting, mail forwarding to external address, email thread hijacking (reply from different IP), mass email read from non-corporate IP, mail item deletion (evidence destruction), and the BEC attack chain sequence.
Financial Fraud Response Checklist. Steps for engaging the bank, law enforcement notification thresholds, evidence preservation requirements, and internal communication templates. Includes jurisdictional considerations for cross-border payments.
BEC-Adapted IR Report Template. The M11 IR report template modified for BEC-specific sections: financial impact assessment, payment recovery status, and law enforcement coordination.
Prerequisites
Complete Modules 1 (Defender XDR), 6 (KQL), 9 (detections), and 12 (AiTM investigation). Module 12 covers the initial access and credential compromise investigation that typically precedes BEC. This module assumes the mailbox is already compromised and focuses on the post-compromise financial fraud investigation.
MITRE ATT&CK techniques covered
T1114.003 (Email Collection: Email Forwarding Rule), T1114.002 (Email Collection: Remote Email Collection), T1534 (Internal Spearphishing), T1036 (Masquerading), T1565.003 (Data Manipulation: Runtime Data Manipulation), T1070.008 (Indicator Removal: Clear Mailbox Data).
Compliance mapping
NIST CSF: RS.AN-1 (Investigations are conducted), RS.AN-2 (The impact of the incident is understood), RS.MI-1 (Incidents are contained). ISO 27001: A.5.24 (Incident management planning), A.5.25 (Assessment and decision on security events), A.5.26 (Response to incidents). SOC 2: CC7.3 (Evaluate security events), CC7.4 (Respond to incidents).
How this module is structured
12.1 — Understanding BEC Attack Mechanics. BEC taxonomy (5 types), the financial fraud kill chain, why BEC bypasses technical controls, and the indicators that distinguish BEC from standard phishing.
12.2 — Incident Briefing: INC-2026-0315-002. The scenario: an Accounts Payable clerk’s compromised mailbox is used to divert a £47,000 vendor payment. What triggered the investigation and what you know at the start.
12.3 — Mailbox Compromise Assessment. Determining how the attacker gained access, what they read, and what persistence mechanisms they established.
12.4 — Email Thread Analysis. Reconstructing the attacker’s reconnaissance: which email threads they monitored, which vendors they targeted, and how they prepared the fraud.
12.5 — The Fraudulent Email. Analysing the payment diversion email: thread hijacking technique, sender spoofing method, invoice manipulation, and the social engineering approach.
12.6 — Financial Impact Assessment. Determining whether the payment was sent, the recovery window, and the total financial exposure.
12.7 — Containment and Evidence Preservation. Containing the compromised mailbox while preserving evidence for potential law enforcement referral.
12.8 — Law Enforcement and Banking Coordination. When and how to involve law enforcement, bank fraud teams, and legal counsel. Jurisdictional thresholds and reporting timelines.
12.9 — Eradication. Removing persistence mechanisms specific to BEC: inbox rules, forwarding, delegate permissions, and OAuth consents.
12.10 — Detection Engineering. 6 deployable KQL analytics rules for BEC detection.
12.11 — Hardening Against BEC. Post-incident controls: external email tagging, inbox rule restrictions, payment verification procedures, and security awareness targeting.
12.12 — Module Assessment. 20 scenario-based questions testing BEC investigation and financial fraud response decisions.