Business Email Compromise (BEC) Investigation

When You See This

1. 1

   Finance department reports an unusual payment request from an executive with urgency language

2. 2

   Email gateway flags an inbound message with display name matching a C-suite executive but from an external domain

3. 3

   Mailbox audit logs show creation of forwarding rules to external email addresses

4. 4

   A vendor reports receiving payment change requests they did not send

5. 5

   Authentication logs show an executive account accessed from an unusual location or device

Investigation Steps

1. 1

   Determine if the executive account is compromised

   Check authentication logs for the impersonated executive account. Look for logins from unusual locations, devices, or IP addresses. Review mailbox audit logs for unauthorized access, rule creation, or message deletion. If the account is compromised, this is account-takeover BEC; the most dangerous variant because the emails come from a legitimate address.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=o365 OR index=exchange user="executive@company.com" operation IN ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules") | table _time, operation, parameters, src_ip

   index=auth user="executive@company.com" | stats values(src_ip) as ips, values(user_agent) as agents, values(City) as locations by action | sort -_time

   Decision Point

   If: Unauthorized access to the executive account is confirmed

   Yes → Account-takeover BEC. Immediately reset password, revoke sessions, remove unauthorized rules. Escalate. all emails sent from this account during the compromise window are suspect.

   No → Likely impersonation-based BEC using a spoofed or lookalike domain. Proceed to email header analysis.

2. 2

   Analyze the fraudulent email headers and domain

   For impersonation BEC, examine the sending domain. Look for typosquatting (ceo@company-inc.com vs ceo@company.com), recently registered domains, and SPF/DKIM failures. Check WHOIS for the lookalike domain registration date and registrant.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=email sender_domain!="company.com" sender_display="*CEO Name*" | table _time, sender_address, sender_domain, recipient, subject, spf_result, dkim_result

3. 3

   Review the financial request for social engineering markers

   Analyze the payment request content. BEC emails typically contain: urgency language, requests to change payment methods or bank details, instructions to keep the request confidential, and pressure to bypass normal approval processes. Compare against the actual vendor or executive communication patterns.

   SIEM
4. 4

   Check for mail forwarding rules and persistence

   If the account was compromised, search for email forwarding rules that send copies of incoming mail to external addresses. Attackers use these to monitor communications even after the password is changed. Check for OAuth application consent grants that provide persistent mailbox access.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=o365 operation IN ("New-InboxRule", "Set-InboxRule") | where match(parameters, "ForwardTo|RedirectTo|ForwardAsAttachmentTo") | table _time, user, parameters, src_ip

5. 5

   Contain, notify, and report

   If funds were transferred, immediately contact the receiving bank to attempt a recall. Notify law enforcement (FBI IC3 for US organizations). Remove unauthorized email rules. Block the attacker domain. Issue an internal advisory to finance staff about the attempted BEC. Document the complete communication chain for legal proceedings.

   SIEM

Common Mistakes

1. 1

   Investigating only the phishing email without checking if the executive account itself was compromised

2. 2

   Not searching for email forwarding rules that provide persistent access even after password reset

3. 3

   Treating BEC as a simple phishing attempt; BEC often involves weeks of email thread monitoring before the attack

4. 4

   Failing to contact the bank immediately when funds have been transferred; recall success rates drop dramatically after 24 hours

Escalation Criteria

• Funds have been transferred to a fraudulent account

• Executive mailbox compromise confirmed with unauthorized access over multiple days

• Multiple BEC attempts targeting different executives or finance staff simultaneously

Frequently Asked Questions

How much money do BEC attacks steal?

The FBI IC3 reported $2.9 billion in BEC losses in 2023, making it the most financially damaging cybercrime category, exceeding ransomware losses. Individual BEC incidents have stolen over $40 million (Ubiquiti Networks, Toyota Boshoku). The average BEC loss is approximately $125,000 per incident.

How is BEC different from regular phishing?

Regular phishing casts a wide net to steal credentials or install malware. BEC is highly targeted financial fraud; the attacker impersonates a specific executive or vendor to trick a specific employee into transferring money. BEC emails often contain no malicious links or attachments, making them harder for email security tools to detect.

How do I practice BEC investigations?

SOCSimulator includes BEC scenarios where you analyze compromised mailboxes, trace unauthorized email rules, and investigate financial fraud attempts. Build the investigation skills that prevent million-dollar losses. Start free forever.