Business Email
Compromise Response

Rapid containment, forensic investigation, and financial recovery when email accounts are compromised. Minutes matter — we activate immediately.

Rapid Incident Response
M365 & Google Workspace Forensics
Financial Recovery Support
Report an Incident →

Emergency response · Retainer available · Confidential engagement

Immediate Response

Contain the Intrusion — Minutes Matter

BEC is the most financially damaging cybercrime category globally — the FBI puts cumulative losses above $50 billion. When an account is compromised, delay directly increases damage: fraudulent transactions go through, data gets exfiltrated, and attackers pivot to additional accounts.

We activate immediately on engagement. The first priority is stopping ongoing attacker activity — locking accounts, killing active sessions, and pulling any persistence mechanisms they've left behind.

  • Immediate account lockdown and active session revocation across all compromised mailboxes
  • Establishing the compromise window — when attacker access started and what was touched
  • Forensic preservation of audit logs, sign-in records, and mailbox activity before any remediation steps alter the trail
  • Removal of attacker persistence — inbox forwarding rules, transport rules, OAuth app grants, and delegated mailbox access
  • Lateral movement check — did the attacker reach SharePoint, OneDrive, Teams, or additional accounts?
  • Immediate notification guidance for affected parties, banks, and payment processors
Forensic Investigation

M365 & Google Workspace Forensics

Once containment is done, we dig into exactly what happened. Our forensic work covers the full attack timeline — initial access through final exfiltration — and produces documentation suitable for regulatory notifications, insurance claims, and law enforcement.

  • Unified Audit Log (UAL) analysis for M365 or Google Workspace Admin console audit log review
  • Mailbox forensics — sent items, deleted items, search queries, and attachment access
  • Mail flow rule analysis — inbox rules, transport rules, auto-forwarding to external addresses, and journal rules
  • OAuth application audit — malicious app consent grants, third-party delegated access, and token theft indicators
  • Sign-in analysis — IP geolocation, device fingerprinting, MFA bypass indicators (e.g. EvilginX/AiTM proxy sessions), and impossible travel detection
  • Attacker TTP mapping against MITRE ATT&CK for Enterprise — specifically the Initial Access, Persistence, and Collection tactics relevant to BEC
  • Data exfiltration assessment — what emails, attachments, and files were accessed or downloaded
Financial Recovery

Intercept Funds & Support Recovery

BEC is financial fraud. The attacker wants wire transfers diverted, invoices manipulated, or payroll redirected. When fraudulent transactions are already in motion, how fast you act determines how much you recover. We work directly with your finance team, banks, and law enforcement.

  • Immediate liaison with receiving and sending banks to initiate recall and hold procedures
  • IC3 (FBI Internet Crime Complaint Center) filing support for US-based incidents
  • Action Fraud and National Fraud Intelligence Bureau reporting for UK-based incidents
  • Payment processor notification and chargeback initiation where applicable
  • Documentation package for insurance claims (cyber liability and crime policies)
  • Law enforcement liaison — providing forensic packages suitable for criminal investigation
What Attackers Do

Understanding BEC Attack Patterns

BEC isn't one technique — it's a category of attacks where compromised or spoofed business email is used to commit fraud. Knowing the pattern tells us what the attacker was after and what's already happened.

Invoice Fraud

Attacker compromises a supplier account or spoofs the domain, then modifies banking details on legitimate invoices mid-thread. Payments land in attacker-controlled accounts.

CEO / Executive Fraud

Attacker spoofs or compromises a senior executive's account to pressure finance staff into urgent wire transfers or gift card purchases — bypassing normal approval chains.

Payroll Diversion

Attacker impersonates an employee or compromises HR's mailbox to redirect salary payments before the next payroll run. Often sits undetected until the employee reports missing pay.

OAuth Token Theft & Account Persistence

Rather than stealing passwords, attackers use AiTM phishing proxies (e.g. Evilginx) to harvest session cookies post-MFA, or trick users into granting OAuth consent to malicious apps — maintaining access even after a password reset.

Readiness & Prevention

Harden Your Environment Before the Next Attack

Most BEC incidents exploit weak email authentication, inadequate MFA, and a lack of out-of-band payment verification. After incident resolution, we help fix the specific controls that failed.

  • Email authentication hardening — DMARC enforcement, DKIM signing, and SPF alignment
  • Phishing-resistant MFA deployment — hardware keys or FIDO2 to defeat AiTM proxy attacks
  • Conditional Access policy hardening — restricting legacy auth, enforcing compliant devices
  • BEC simulation exercises — targeted phishing campaigns against finance and executive teams
  • Payment verification procedure design — out-of-band confirmation for all wire transfers above defined thresholds
  • Incident response playbook — so the next incident gets contained faster
Core Capabilities

End-to-End BEC
Incident Response

From initial containment through forensic investigation, financial recovery, and future hardening — full BEC response under one engagement.

Rapid Containment

Account lockdown, active session revocation, and removal of attacker persistence — forwarding rules, OAuth grants, delegated access. We stop further damage before we start the forensic work.

Digital Forensics

Deep forensic analysis of M365 and Google Workspace — UAL audit logs, mailbox activity, sign-in records, OAuth consent grants, and AiTM session indicators — producing court-ready evidence packages.

Financial Recovery

Bank liaison, IC3 and Action Fraud filings, payment processor coordination, and insurance documentation — giving you the best realistic chance of recovering diverted funds.

Hardening & Prevention

Post-incident environment hardening — DMARC enforcement, phishing-resistant MFA (FIDO2/hardware keys), conditional access policies, BEC simulation exercises, and out-of-band payment verification procedures.

Response Process

How BEC Incident Response Works

A time-critical response process designed to contain, investigate, and recover from business email compromise.

1

Contain & Preserve

We lock down compromised accounts, revoke active sessions, and pull attacker persistence — forwarding rules, OAuth app consents, delegated access. Evidence is preserved before any remediation step that could alter the audit trail. Affected parties and financial institutions get notification so they can initiate hold procedures on in-flight transactions.

2

Investigate & Determine Impact

We map the complete attack timeline from initial access through final action — what data was read, what communications were intercepted, what transactions were manipulated, and whether the attacker moved laterally to other accounts or services. TTPs are documented against MITRE ATT&CK, which gives you a framework for discussing the incident with legal, insurers, and regulators.

3

Recover & Harden

Financial recovery is coordinated with banks and law enforcement. We deliver a full incident report with forensic findings, regulatory notification guidance, and insurance documentation. Then we harden the environment — DMARC enforcement, phishing-resistant MFA, Conditional Access tightening, and out-of-band payment controls for high-value transactions.

Frequently Asked Questions

Common Questions

How quickly can you respond to a BEC incident?
We activate within hours of engagement — retainer clients get a response within one hour. Initial containment (account lockdown, session revocation, persistence removal) is typically done within 2–4 hours. The sooner you call us after discovering a compromise, the better your odds of financial recovery and evidence preservation.
Can you actually recover stolen funds?
It depends entirely on speed. Cases engaged within 24–48 hours of the fraudulent transaction have significantly better recovery rates. We work directly with receiving banks to initiate holds, file IC3 complaints (which trigger the FBI's Recovery Asset Team for domestic US transfers), and coordinate with international banking partners for cross-border fraud. We can't guarantee recovery — nobody can — but we use every mechanism available.
Do you work with law enforcement?
Yes. We prepare forensic evidence packages for law enforcement submission, assist with IC3 and Action Fraud filings, and can liaise directly with investigating officers. Our documentation follows chain-of-custody standards and has been used in criminal proceedings.
Can you help prevent BEC before it happens?
Yes. BEC readiness assessments cover DMARC/DKIM/SPF configuration, Conditional Access hardening, phishing-resistant MFA deployment (FIDO2), BEC simulation exercises, payment verification procedure design, and staff awareness training. Prevention is far cheaper than response.
Related Services

Strengthen Your Security Posture

Penetration Testing

Test your defences before attackers do — including social engineering and phishing simulations.

Learn more →

Attack Surface Mapping

Discover exposed assets and misconfigurations that could enable initial access for BEC attackers.

Learn more →

Credentials Monitoring

Detect compromised credentials before they are used for email account takeover.

Learn more →

AI Security Assessments

Ensure AI tools processing email and communications data are secure and compliant.

Learn more →
Take Action

Compromised Email? Act Now.

Every minute counts during a BEC incident. Contact our response team immediately for rapid containment and investigation.

Report an Incident →