13.7 Containment and Evidence Preservation
Containment and Evidence Preservation
BEC containment has a unique requirement: evidence preservation for potential law enforcement referral. Unlike AiTM containment (M12.7) where the priority is cutting attacker access as fast as possible, BEC containment must balance speed with forensic integrity. If the case goes to law enforcement, they need the evidence chain intact.
Required role: User Administrator (password reset), Authentication Administrator (token revocation), Exchange Administrator (mailbox actions).
Action 1: Revoke tokens and reset password
Same procedure as M11.7 Action 1-2. Execute for a.patel and any other confirmed compromised accounts.
Blast radius: a.patel loses all active sessions. Must re-authenticate on all devices. Per-user.
Rollback: Not reversible. User re-authenticates with new password.
Verify: SigninLogs | where TimeGenerated > ago(30m) | where UserPrincipalName == "a.patel@northgateeng.com" | where IPAddress !in ("192.0.2.10", "192.0.2.15") — should return zero rows.
Action 2: Preserve the mailbox before eradication
Before removing inbox rules, forwarding, or deleting the fraudulent email: place the mailbox on litigation hold. This preserves all content — including items the attacker may delete during eradication.
| |
Blast radius: The user can continue using their mailbox normally. Litigation hold operates silently — the user does not see any change. Deleted items are preserved in a hidden Recoverable Items folder. Per-mailbox. No user-facing impact.
Cost impact: Litigation hold increases mailbox storage usage because deleted items are retained. For E5 licensing: no additional cost (unlimited archiving). For lower tiers: monitor mailbox size.
Rollback: Set-Mailbox -Identity "a.patel@northgateeng.com" -LitigationHoldEnabled $false
Why this matters for BEC: If law enforcement pursues the case, they may request an eDiscovery export of the mailbox. Litigation hold ensures that even if the attacker (or the user, or IT) deletes emails during cleanup, the originals are preserved. Without it, the fraudulent email thread — your primary evidence — could be permanently lost.
Compliance mapping: NIST CSF RS.AN-1 (Investigations are conducted). ISO 27001 A.5.28 (Collection of evidence). SOC 2 CC7.4 (Response to incidents). Evidence preservation is a compliance requirement, not an optional step.
Action 3: Export the evidence
Before eradication, export the key evidence:
| |
What to export: The complete email thread between a.patel and Meridian (legitimate + fraudulent), the inbox rules (screenshot or PowerShell export), and the sign-in log evidence (bookmarks from the investigation).
Store exports in a secure location — not in the compromised mailbox. Use a SharePoint site with restricted access or a local encrypted drive.
Action 4: Block the attacker’s email infrastructure
If the fraudulent email came from a lookalike domain: block the domain in the Exchange Online tenant anti-spam policy.
| |
Blast radius: All future email from the blocked domain is quarantined. No impact on email from other domains. Tenant-wide for the specified domain.
Rollback: Set-HostedContentFilterPolicy -Identity "Default" -BlockedSenderDomains @{Remove="meridian-precisi0n.co.uk"}
If the fraudulent email came from the real vendor domain (vendor compromise): do NOT block the vendor’s legitimate domain. Instead: notify the vendor that their email may be compromised, and implement a transport rule that flags emails from the vendor domain containing financial keywords for manual review until the vendor confirms their email is secure.
Subsection artifact: The containment action sequence with evidence preservation steps. This is the containment section of your BEC investigation playbook — distinct from the AiTM containment in M11 because of the evidence preservation requirement.
Knowledge check
BEC-specific containment considerations
BEC containment differs from AiTM containment in two critical ways:
1. Evidence preservation comes before eradication. In AiTM containment (Module 12.7), the priority is cutting the attacker’s access as fast as possible. In BEC containment, you must preserve evidence before cleanup because: the fraudulent email thread is the primary evidence for bank fraud recovery claims, law enforcement needs the original email headers for investigation, and the inbox rules (which you are about to delete) are evidence of the attacker’s methodology.
Sequence: Revoke tokens → reset password → place mailbox on litigation hold → THEN begin eradication. Never eradicate before hold.
2. The attacker may not have direct mailbox access. If the fraudulent email came from a lookalike domain (not the compromised mailbox), the attacker never had access to a.patel’s mailbox. In this case: there are no tokens to revoke, no inbox rules to remove, and no persistence mechanisms to eradicate. The containment focuses on: blocking the lookalike domain, notifying the vendor, and hardening the email authentication configuration.
Decision tree:
Mailbox compromised (attacker sent from inside) → Full containment: token revocation + password reset + litigation hold + eradication of persistence mechanisms.
Mailbox NOT compromised (lookalike domain or vendor compromise) → Targeted containment: block the spoofed domain + notify the vendor + update email authentication policies. No token revocation or password reset needed for the targeted user.
Vendor email compromised → Notify the vendor. They must contain their own environment. Apply heightened scrutiny to all email from the vendor domain until they confirm containment.
| |
If results appear after containment: a persistence mechanism was missed, or the attacker has a secondary access path. Escalate to full account disable.
Check your understanding
1. Why do you place the mailbox on litigation hold BEFORE removing the attacker's inbox rules?