Why BEC Response Speed Matters
Business Email Compromise is the most financially damaging form of cybercrime. Unlike ransomware or malware, BEC doesn't rely on technical exploits—it exploits trust. Attackers impersonate executives, vendors, or colleagues to trick employees into transferring funds or sharing sensitive data.
The BEC Timeline Problem
4 hours
Average time from account compromise to first BEC email sent
24 hours
Average time for manual BEC detection without automation
$137K
Average financial loss per successful BEC attack
The gap between compromise and detection is where financial damage occurs. A structured triage and containment checklist—with automation where safe—closes this gap from hours to minutes.
Phase 1: Triage (First 15 Minutes)
Triage determines whether you're dealing with a real BEC incident or a false positive. The goal is to validate the threat and assess severity as quickly as possible.
BEC Triage Checklist
1. Log the incident
Create a ticket with timestamp, reporter info, and initial alert details. This establishes the forensic timeline.
Automate2. Validate the alert source
Check Microsoft Defender for Office 365 alerts, Entra ID sign-in logs, and user reports. Cross-reference multiple signals.
Automate3. Analyze email headers
Check Reply-To mismatches, X-Originating-IP, authentication results (SPF/DKIM/DMARC), and envelope vs. display name discrepancies.
Semi-Automate4. Determine if account is compromised vs. spoofed
Internal tenant origin = compromised account. External spoof = different response. Check Unified Audit Log for suspicious sign-ins.
Semi-Automate5. Classify severity
High: Executive account, financial request sent, or evidence of lateral movement. Medium: Standard user, no financial action yet. Low: Blocked or failed attempt.
Human Decision6. Enable litigation hold
Preserve all mailbox data for forensic analysis. Apply via Microsoft 365 Compliance Center or PowerShell immediately.
AutomatePhase 2: Analysis (15-45 Minutes)
Once you've confirmed a BEC incident, analysis determines the scope: what did the attacker access, who else is affected, and what actions did they take?
BEC Analysis Checklist
1. Pull Unified Audit Log (UAL) for affected user
Filter for MailItemsAccessed, Send, UpdateInboxRules, Add-MailboxPermission. Look for activity from anomalous IPs or user agents.
Automate2. Check for malicious inbox rules
Attackers create rules to auto-forward emails or hide replies. Search for rules with DeleteMessage, MoveToFolder (RSS, Archive), or ForwardTo actions.
Automate3. Review OAuth app consents
Check Entra ID for suspicious OAuth apps granted Mail.Read, Mail.Send, or MailboxSettings.ReadWrite permissions during the compromise window.
Automate4. Identify all sent BEC emails
Use Message Trace or Threat Explorer to find all emails sent from the compromised account during the attack window. Collect recipients and content.
Semi-Automate5. Assess data exposure
Review MailItemsAccessed logs to determine what emails/attachments the attacker read. Flag if PII, financial data, or credentials were accessed.
Semi-Automate6. Determine lateral movement
Check if the attacker used the compromised account to phish internal users or access SharePoint, OneDrive, or Teams. Expand scope as needed.
Human Decision| UAL Event | What It Reveals | BEC Significance |
|---|---|---|
| MailItemsAccessed | Which emails the attacker read | Shows reconnaissance and data theft |
| Send | Emails sent from account | Identifies fraudulent messages sent |
| UpdateInboxRules | Inbox rule changes | Persistence mechanism / hiding replies |
| Set-Mailbox | Mailbox setting changes | Forwarding rules to external address |
| Add-MailboxPermission | Delegation changes | Attacker granting themselves access |
| Consent to application | OAuth app grants | Persistent backdoor via malicious app |
Phase 3: Containment (Immediate)
Containment stops the bleeding. These actions should execute as soon as you've confirmed a BEC incident— don't wait for full analysis to complete. Containment and analysis can run in parallel.
BEC Containment Checklist
1. Revoke all active sessions
Use Entra ID to revoke refresh tokens immediately. This kicks the attacker out of all Microsoft 365 apps, Outlook, Teams, etc.
Automate (High Confidence)2. Force password reset
Reset the user's password via Entra ID or on-prem AD (if hybrid). Use a strong temporary password and require change on next login.
Automate (High Confidence)3. Force MFA re-enrollment
Require the user to re-register all MFA methods. Attackers may have registered their own phone or authenticator during the compromise.
Automate (High Confidence)4. Remove malicious inbox rules
Delete any inbox rules created during the compromise window, especially those with ForwardTo, DeleteMessage, or MoveToFolder actions.
Automate5. Disable external forwarding
Remove any SMTP forwarding rules pointing to external addresses. Block external forwarding at the tenant level if not already done.
Automate6. Revoke malicious OAuth apps
Remove any OAuth apps granted permissions during the compromise window. Review enterprise app consents in Entra ID.
Semi-Automate7. Block attacker infrastructure
Add attacker IPs to Conditional Access blocked locations. Block malicious domains in Defender for Office 365 tenant allow/block list.
Semi-Automate8. Notify BEC email recipients
Alert all recipients of fraudulent emails sent from the compromised account. Include specific email subjects/dates and warn against taking requested actions.
Human Decision9. Contact finance/legal if financial fraud attempted
If BEC emails requested wire transfers or payment changes, immediately notify finance and legal. Initiate bank recall procedures if payment was made.
Human DecisionBEC Response Automation Decision Matrix
Not everything should be automated. Use this matrix to determine which BEC response actions are safe to fully automate vs. those requiring human approval. See our guardrails guide for implementation details.
| Action | Automation Level | Why |
|---|---|---|
| Session revocation | Full Auto | Reversible, minimal business impact, critical for containment |
| Password reset | Full Auto | Standard response, user can self-recover via SSPR |
| MFA re-enrollment | Full Auto | Essential for removing attacker persistence |
| Remove inbox rules | Full Auto | Rules created in attack window are malicious by default |
| Disable forwarding | Full Auto | External forwarding should be blocked by default anyway |
| Revoke OAuth apps | Approval | Could disrupt legitimate business apps; review first |
| Block IPs/domains | Approval | Risk of blocking legitimate services; verify IOCs first |
| Account disable | Approval | Full lockout; reserve for high-severity cases |
| Recipient notification | Manual | Requires context-aware messaging; external parties involved |
| Bank/legal escalation | Manual | Financial/legal decisions require human judgment |
Common BEC Indicators to Detect
Effective BEC response starts with detection. Train your automation to trigger on these indicators for faster triage:
Sign-In Anomalies
- Impossible travel (logins from distant locations in short time)
- Login from new device + new location simultaneously
- Sign-in from anonymizing VPN/proxy services
- MFA fatigue pattern (multiple push notifications)
Email Behavior
- New inbox rules created (especially with forwarding/deletion)
- Emails with payment/wire transfer keywords from exec accounts
- Reply-To address doesn't match sender domain
- External forwarding rule added to mailbox
OAuth/App Activity
- Consent to app with Mail.Read or Mail.Send permissions
- App consent from anomalous IP or following phish click
- Unknown publisher OAuth app with high-privilege scopes
Mailbox Changes
- Mailbox delegation added (SendAs, FullAccess)
- SMTP forwarding configured to external domain
- Mailbox audit logging disabled
How BitLyft AIR Automates BEC Response
BitLyft AIR integrates directly with Microsoft 365 and Entra ID to execute BEC response in seconds, not hours. When a BEC indicator fires:
Instant Containment
Auto-revoke sessions, reset password, force MFA re-enrollment within 60 seconds of detection
Auto-Analysis
Pull UAL, identify malicious rules, map OAuth apps, and assess scope automatically
Built-In Guardrails
VIP approval workflows, rollback capability, and audit trail for every automated action
Analyst Handoff
Pre-populated incident with all evidence, ready for human decisions on notifications and escalation
Frequently Asked Questions
How quickly should BEC containment actions execute?
Session revocation, password reset, and MFA re-enrollment should execute within 60-120 seconds of confirmed BEC detection. Every minute of delay is another minute the attacker has access to the compromised mailbox.
Should I disable the account or just reset the password?
Password reset + session revocation + MFA re-enrollment is usually sufficient. Full account disable should be reserved for high-severity cases (executive account, confirmed financial fraud in progress) because it has higher business impact and requires IT to re-enable.
What if the attacker registered their own MFA device?
This is why MFA re-enrollment is critical. Forcing the user to re-register all MFA methods removes any authenticator app, phone number, or security key the attacker may have added. Without this step, the attacker can simply re-authenticate after password reset.
How do I detect BEC if the attacker is using the legitimate account?
Look for behavioral anomalies: impossible travel, new inbox rules, emails with payment keywords to unusual recipients, and OAuth app consents. Microsoft Defender for Office 365 generates alerts for many of these. Combine with Entra ID Protection risk signals for best coverage.