Module 13 — Check My Knowledge (20 questions)
1. What is the primary financial motivation behind BEC attacks?
Direct financial theft through fraudulent payment diversion, invoice manipulation, or wire transfer fraud. BEC causes more financial damage than ransomware globally because it exploits trusted business processes rather than technical vulnerabilities — and the proceeds are cash, not cryptocurrency.
Data theft for sale on the dark web
Ransomware deployment
Reputational damage
Direct financial theft. BEC is the most financially damaging cybercrime category.
2. A BEC email contains no malicious URLs or attachments. Why does Defender for Office 365 not detect it?
Defender detects malicious content — URLs, attachments, phishing patterns. BEC emails contain none of these. They are legitimate emails discussing real transactions with the only malicious element being a changed bank account number. Detection requires behavioural analysis, not content scanning.
Defender was not configured properly
The email was encrypted
BEC is always detected by Safe Links
No malicious content to detect. BEC bypasses content-based security.
3. The CFO reports a suspicious payment at 14:23. The payment was sent 36 hours ago. What is your first action?
Contact the bank fraud team immediately to request payment recall. At 36 hours, the recovery window is still open. Provide payment details — the bank does not need the full investigation. Technical investigation proceeds in parallel.
Investigate the sign-in logs first
Reset the user's password
Complete the full investigation before contacting the bank
Bank first. Recovery window is ticking. Investigation in parallel.
4. An inbox rule targets emails containing "invoice," "payment," and "bank." What is the attacker's objective?
Intercept vendor replies about payment details. When the real vendor replies confirming the original (legitimate) bank details, the rule hides it from the user — preventing them from seeing the contradiction with the fraudulent bank details the attacker sent.
To organise the user's inbox
To forward marketing emails
To delete spam
Intercept vendor replies to hide the contradiction between legitimate and fraudulent bank details.
5. You find the fraudulent email domain is meridian-precisi0n.co.uk (zero instead of 'o'). SPF passes. Is the email legitimate?
No. Lookalike domain. The attacker registered the domain and configured DNS correctly — SPF passes for their domain. Authentication verifies domain ownership, not legitimacy. Character-by-character domain comparison is the detection method.
Yes — SPF pass confirms legitimacy
Need to check DMARC alignment
DKIM would catch it
Lookalike domain. Authentication verifies ownership, not legitimacy.
6. Why do you place the mailbox on litigation hold before eradication?
Evidence preservation. If law enforcement pursues the case, they need the fraudulent email, inbox rules, and thread intact. Without hold, eradication destroys the evidence permanently. Hold first, clean second.
To prevent the user from sending email
Litigation hold is required by Sentinel
To increase mailbox quota
Evidence preservation for law enforcement. Hold first, clean second.
7. You remove all malicious inbox rules and forwarding from the compromised mailbox. Is eradication complete?
No. The fraudulent vendor bank details remain in the finance system. If the next payment to that vendor is processed without reverting the bank details, it goes to the attacker. BEC eradication includes business process actions — not just technical cleanup.
Yes — the technical eradication is complete
Only if MFA was re-registered
The finance system is not a security concern
Revert the fraudulent bank details. Finance system persistence is part of BEC eradication.
8. What is the most effective single control to prevent vendor payment diversion BEC?
Verbal verification policy: any vendor bank detail change must be confirmed via phone call to a known number from the vendor master file (not from the email). This breaks the fraud execution regardless of whether technical controls fail. Cost: £0. Implementation: policy document + training.
External email warning banner
Better spam filtering
Blocking all external email
Verbal verification. Process control that breaks the fraud regardless of technical control bypass. £0 cost.
9. Thread hijacking means the attacker:
Replies within an existing email thread, making the fraudulent email appear as a natural continuation of a conversation the recipient is already engaged in. The recipient sees it in context of a trusted, ongoing thread — reducing scrutiny of the content.
Creates a new email thread with the same subject line
Forwards the entire thread to an external address
Deletes the original thread and replaces it
Reply within existing thread. Exploits trust in ongoing conversation.
10. What is the payment recovery window for a UK domestic wire transfer?
Typically 24-72 hours. Within 24 hours: high recovery probability via payment recall. 24-72 hours: moderate probability. Beyond 72 hours: low probability as the attacker moves funds through multiple accounts. Contact the bank fraud team immediately upon confirming the payment was fraudulent.
30 days
7 days
There is no recovery window
24-72 hours. Bank contact is time-critical. Every hour reduces recovery probability.
11. When should you report a BEC incident to UK law enforcement?
Report all BEC incidents involving financial loss to Action Fraud. The crime reference number is needed for insurance claims and bank recovery processes. If personal data was accessed, assess GDPR notification to the ICO within 72 hours. Report significant incidents to the NCSC.
Only if the loss exceeds £100,000
Only if the attacker is identified
Law enforcement is not involved in BEC
Report all BEC with financial loss to Action Fraud. The crime reference number is required for recovery and insurance processes.
12. You deploy external email banners and block external forwarding. Is BEC prevention complete?
No. Technical controls reduce the attack surface but cannot prevent all BEC. A BEC email from a compromised internal mailbox does not display the external banner. The attacker can use alternative persistence methods. Process controls (verbal verification, dual authorisation) are the definitive BEC prevention layer. Technical + process together.
Yes — these two controls cover BEC
Only if Safe Links is also configured
Add more detection rules instead
Technical + process controls together. Technical alone is insufficient for BEC.
13. The investigation reveals the attacker read 500+ emails over 2 weeks. What does this indicate?
Deep reconnaissance. The attacker studied the victim's email to identify: vendor relationships, payment schedules, transaction amounts, approval processes, and communication styles. This level of reconnaissance enables highly convincing BEC — the attacker knows the correct invoice numbers, amounts, and contact names. The 2-week dwell time also means other vendor threads may have been targeted.
The user just has a lot of email
Automated email backup
Only the Meridian thread was targeted
Deep reconnaissance over 2 weeks. Multiple vendor threads may be targeted. Expand scope.
14. What artifacts should you have after completing this module?
Four artifacts: (1) BEC investigation playbook — decision tree from alert to closure. (2) 6 BEC detection rules — deployable KQL analytics rules. (3) Financial fraud response checklist — bank contact, law enforcement, evidence preservation steps. (4) BEC hardening checklist — technical and process controls with blast radius and GRC mapping.
A certificate of completion
Notes from the module
A list of KQL queries
4 deployable artifacts: playbook, detection rules, financial fraud checklist, hardening checklist.
15. How does BEC investigation differ from AiTM investigation (Module 12)?
AiTM focuses on initial access and credential compromise (phishing → token capture → token replay). BEC focuses on what the attacker does with compromised access (mailbox reconnaissance → thread monitoring → financial fraud). BEC adds unique requirements: financial impact assessment, payment recovery coordination, law enforcement engagement, evidence preservation for prosecution, and business process hardening. The investigation timeline is driven by the payment recovery window, not the containment window.
BEC is easier to investigate
They are the same investigation type
BEC does not require technical investigation
AiTM = initial access investigation. BEC = post-compromise financial fraud investigation. Different kill chain, different urgency driver (payment recovery vs containment), different controls (process + technical vs technical).
16. The investigation reveals an eradication gap from Module 12 — an inbox rule from the February AiTM attack was not removed. What does this tell you?
The M11 eradication verification checklist was not fully completed. The inbox rule persisted for 3 weeks — silently intercepting payment-related emails and enabling the BEC. This validates the verification checklist approach: every eradication action must be verified, not assumed. The PIR action item: enforce the eradication verification checklist and add a 7-day follow-up check for all future incidents.
Module 12 was a different incident
Inbox rules cannot persist for 3 weeks
The rule was created by the user
Eradication gap. The verification checklist was not completed. The persistent rule enabled the BEC. Enforce verification + add follow-up checks.
17. Rule 2 (Email Thread Reply from Different IP) detects what BEC technique?
Thread hijacking. The attacker replies in an existing email thread, but the reply originates from a different IP than the legitimate sender used in previous messages. This is a BEC-specific detection — a reply appearing in a trusted thread from infrastructure that does not match the sender's historical pattern.
Domain spoofing
Credential phishing
MFA bypass
Thread hijacking. Reply from different IP within existing thread = attacker inserting themselves into trusted conversation.
18. The vendor confirms they did NOT send the bank detail change email. What does this mean?
The attacker spoofed or used a lookalike domain to impersonate the vendor — OR sent the email from the compromised internal mailbox manipulating the headers. The email did not originate from the vendor's infrastructure. Check: was the email sent from a.patel's mailbox (internal compromise), from a lookalike domain (external spoofing), or from a completely different address with display name manipulation?
The vendor is lying
The email was deleted from the vendor's sent folder
No further investigation needed
Spoofed/lookalike domain or compromised internal mailbox. Determine the actual sender infrastructure through email header analysis.
19. What is the complete BEC investigation cycle demonstrated in this module?
Alert → Financial impact assessment (payment status, bank contact) → Mailbox compromise assessment → Email thread analysis → Fraudulent email analysis → Containment with evidence preservation → Law enforcement coordination → Eradication (technical + business process) → Detection engineering → Hardening (technical + process controls). The financial recovery urgency drives the sequence — bank contact before technical investigation.
Alert → Investigate → Contain → Close
Detect → Report → Forget
Same as AiTM investigation
Financial recovery first, then technical investigation + containment + evidence preservation + law enforcement + eradication + detection + hardening. BEC has a different sequence priority than AiTM.
20. Dual authorisation for payments above £10,000 maps to which compliance control?
ISO 27001 A.5.3 (Segregation of duties) and SOC 2 CC6.3 (Segregation of duties). Requiring two independent approvers for high-value payments ensures that a single compromised individual cannot authorise a fraudulent payment. This is a fundamental internal control that auditors specifically test for.
NIST CSF PR.AC-7 (Authentication)
ISO 27001 A.8.16 (Monitoring)
There is no compliance mapping for payment controls
Segregation of duties — ISO 27001 A.5.3 and SOC 2 CC6.3. Fundamental internal control for financial authorisation.
