Business Email Compromise Prevention in Microsoft 365

Business Email Compromise Is the Most Expensive Cyber Threat

Ransomware gets the headlines. Business Email Compromise (BEC) gets the money. The FBI’s IC3 report documented $2.9 billion in BEC losses in 2023 alone, making it the costliest category of cybercrime by a wide margin.

BEC does not rely on malware or technical exploits. It relies on trust, urgency, and compromised or spoofed email accounts. An attacker impersonates a CEO, vendor, or attorney and instructs someone to wire money, change payment details, or send sensitive data. The email looks legitimate because it often comes from a real, compromised account.

For MSPs, protecting clients from BEC is not just a security service — it is a financial protection service.

How BEC Attacks Work in Microsoft 365

Understanding the attack chain helps you defend against it:

Phase 1: Account compromise
The attacker gains access to a legitimate M365 account, usually through phishing, credential stuffing, or purchasing stolen credentials from the dark web. This is why MFA and credential monitoring matter so much.

Phase 2: Reconnaissance
Once inside, the attacker reads email for days or weeks. They learn the organization’s communication patterns, identify key relationships (CEO to CFO, company to vendor), and wait for the right moment.

Phase 3: Inbox rule creation
The attacker creates inbox rules to hide their activity — forwarding specific emails to an external address, moving replies to a hidden folder, or deleting sent items. This is one of the most reliable indicators of BEC.

Phase 4: The attack
The attacker sends an email — either from the compromised account or from a spoofed lookalike domain — requesting a wire transfer, payment redirect, or sensitive data. The email uses urgency and authority to bypass normal verification.

Preventive Controls in Microsoft 365

Email authentication (SPF, DKIM, DMARC):
These three protocols work together to prevent domain spoofing.

• SPF defines which servers can send email for your domain
• DKIM adds a cryptographic signature to outgoing messages
• DMARC tells receiving servers what to do when SPF or DKIM fails
• Set DMARC to p=reject for maximum protection (start with p=none to monitor, then move to p=quarantine, then p=reject)

Anti-phishing policies in Defender for Office 365:

• Enable impersonation protection for executive users (CEO, CFO, HR director)
• Enable domain impersonation protection for your client’s domains and key partner domains
• Configure mailbox intelligence to detect unusual sending patterns
• Set actions to quarantine rather than just warn

Block external auto-forwarding:
This is critical. Attackers create forwarding rules to exfiltrate email data.

• Create a mail flow rule that blocks auto-forwarding to external domains
• Or set the anti-spam outbound policy to block automatic external forwarding
• Regularly audit existing forwarding rules across all mailboxes

Detective Controls and Monitoring

Prevention is not enough. You need to detect BEC activity that bypasses your controls.

Alert policies to configure:

• New inbox rules created by users (especially rules that forward or delete)
• Inbox rules created via PowerShell or API (a strong BEC indicator)
• Impossible travel sign-in activity
• Sign-ins from anonymous IP addresses
• Mass mail sending from a single account
• Changes to mail forwarding settings

Regular audit activities:

• Review inbox rules across all mailboxes monthly (use PowerShell: Get-InboxRule)
• Check for new forwarding rules (Get-Mailbox | Where ForwardingSmtpAddress -ne $null)
• Review Azure AD sign-in logs for risky sign-ins
• Monitor for new OAuth app consent grants (attackers use malicious OAuth apps to maintain access)

Incident Response for BEC

When you suspect a BEC attack, speed matters:

Immediate actions (first 30 minutes):

1. Reset the affected account’s password immediately
2. Revoke all active sessions and refresh tokens
3. Enable MFA if not already enabled
4. Review and remove suspicious inbox rules
5. Check for forwarding rules and remove them
6. Block the account from sending email if active exploitation is occurring

Investigation (next 24 hours):

1. Review sign-in logs to determine initial compromise method and timeline
2. Search audit logs for inbox rule creation and mail access
3. Identify all emails sent by the attacker from the compromised account
4. Notify any recipients of attacker-sent emails
5. Check if the attacker accessed SharePoint, Teams, or other M365 services
6. Scan the endpoint for malware or infostealers

Recovery and hardening:

1. Contact the bank if any fraudulent wire transfers were initiated (time is critical)
2. File an IC3 complaint if financial loss occurred
3. Implement all preventive controls listed above
4. Conduct security awareness training focused on BEC scenarios
5. Run a full M365 security assessment to identify other gaps

Train Users to Recognize BEC

Technical controls catch most attacks, but trained users are the last line of defense.

Key training points:

• Always verify wire transfer or payment change requests through a separate communication channel (call the person directly, do not reply to the email)
• Be suspicious of urgency — “this must be done today” or “do not tell anyone” are manipulation tactics
• Look for subtle domain spoofing (bonelIisystems.com with a capital I instead of lowercase L)
• Report suspicious emails to IT, even if you are not sure — false positives are better than missed attacks

Assess Your BEC Defenses

BEC prevention requires a combination of email authentication, anti-phishing policies, forwarding controls, monitoring, and user training. Missing any one of these layers creates opportunity for attackers.

365 Security Assessment checks all BEC-related configurations — SPF, DKIM, DMARC, anti-phishing policies, mail forwarding rules, inbox rule anomalies, and more — as part of its automated M365 security audit.

Run your free assessment and find out how exposed your clients are to BEC attacks.