What makes M365-based BEC particularly difficult to catch is the attacker's approach. Rather than faking a domain, they compromise a real account and send fraud from it. The email passes authentication checks, carries legitimate sender history, and lands in inboxes that would block an obvious spoof. Standard spam filters miss it entirely.
This guide covers exactly what defenders need: how to recognize a compromised M365 account, where to look for attack evidence, how to contain and investigate the incident, and which controls actually reduce your exposure going forward.
Key Takeaways
- BEC attackers exploit legitimate M365 accounts, not fake domains, which means DMARC and email authentication tools won't stop them
- Suspicious inbox rules, unexpected MFA changes, and external mail forwarding are the most common warning signs
- Detection requires Entra sign-in logs, Unified Audit Logs, and PowerShell inbox rule reviews — spam filters alone won't surface these attacks
- Immediate response: disable the account, revoke all active sessions, and audit attacker persistence before re-enabling access
- Prevention requires enforcing MFA, disabling legacy authentication protocols, and restricting external forwarding at the tenant level
Why Microsoft 365 Is a Prime Target for BEC Attacks
The Scale Problem
Microsoft 365 had over 400 million paid commercial seats as of FY24 Q2, making it the dominant enterprise email platform globally. That scale creates an enormous attack surface — and a compelling target for attackers who understand that compromising a real M365 account means operating inside trusted infrastructure.
Microsoft's Cyber Signals report documented 35 million BEC attempts detected between April 2022 and April 2023 — averaging 156,000 daily. Those aren't spoofed domains hitting spam filters. Many are real accounts, real sessions, real senders.
Why a Single Credential Is So Valuable
Once an attacker gains access to one M365 account, they don't just get email. According to Microsoft's own incident response documentation, a single compromised mailbox exposes:
- SharePoint folders and OneDrive files — contracts, financial records, HR documents
- Calendar and contact data — internal org structure, scheduled transactions, key relationships
- Teams conversations — ongoing negotiations, approval chains, sensitive operational detail
The email account is the entry point. Everything stored and communicated through it is the actual target — which is why a single set of stolen credentials can enable fraud far beyond what the victim ever anticipated.
The Dwell Time Problem
Attackers rarely act immediately after gaining access. Instead, they monitor — reading email threads, identifying ongoing transactions, mapping internal relationships, and waiting for the right moment. BEC compromises in M365 environments are typically discovered days or weeks after initial access — by which point wire transfers may already be completed and unrecoverable.
This dormancy period is deliberate. An attacker who has watched two weeks of email knows exactly when invoices are approved, who has payment authority, and what tone the CFO uses. When the fraudulent request arrives, it matches the language, timing, and context of legitimate transactions — which is precisely why so many get approved before anyone notices something is wrong.
Warning Signs: How to Recognize a Compromised M365 Account
Most compromised M365 accounts show multiple indicators before a fraud attempt succeeds. The catch: no single alert fires. These signals appear across different systems and only correlate clearly in hindsight.
Suspicious Inbox Rules
Attackers create inbox rules immediately after gaining access. Microsoft's compromised account documentation identifies the most common patterns:
- Silently forward all incoming mail to an attacker-controlled address (external forwarding)
- Move reply emails into obscure folders — Notes, RSS Subscriptions, or Junk — so the legitimate user never sees responses
- Auto-delete messages containing keywords like "wire transfer" or "invoice" before the account owner reads them
These rules are designed to stay invisible: the user's inbox looks normal while the attacker monitors every relevant thread.
Unusual Sign-In Activity
Review Entra sign-in logs for:
- Logins from geographic locations the user has never accessed
- Impossible travel events — sign-ins from two distant locations within minutes of each other (a risk detection Microsoft Entra ID Protection flags specifically)
- IP addresses flagged by Microsoft Threat Intelligence
- Sign-ins at 2 AM or other hours inconsistent with the user's normal pattern
Unexpected MFA Changes and New Devices
After gaining access, attackers commonly register their own authentication devices to maintain persistence even if the victim's password is reset. Watch for:
- New MFA methods — phone numbers or authenticator apps — the user doesn't recognize
- Devices registered to the account that were never authorized
- Authentication method changes made outside business hours
Outbound Mail Anomalies
Check Sent Items and run message traces for:
- Emails sent to vendors or finance teams requesting payment changes
- High-volume outbound sending to external addresses
- Wire transfer requests sent under the compromised user's name during known payment cycles
Mailbox Blocked From Sending
Microsoft automatically places users on the Restricted Entities list when their account is detected sending spam or exceeding outbound sending limits. A suddenly blocked mailbox is a strong retrospective indicator. It means the attacker already used the account for bulk sending before you caught it.
How to Detect BEC Activity in Your M365 Environment
Entra Sign-In and Audit Logs
Start in the Microsoft Entra admin center. Sign-in logs capture every authentication event. Filter by user and sort by date to identify the earliest suspicious activity. Key columns to review: IP address, location, application accessed, and success/failure status.
Don't start your review from the date the incident was reported. Start from two to four weeks earlier. Attackers often access accounts quietly for extended periods before the fraud attempt that triggers the alert.
Audit logs in Entra record tenant-level changes — user role assignments, MFA modifications, device registrations. These are separate from sign-in logs and just as critical to the full picture.
Unified Audit Log in Microsoft Purview
The Purview Unified Audit Log surfaces critical mailbox events. Search for:
New-InboxRuleandSet-InboxRule— rule creation or modificationSet-MailboxwithForwardingSmtpAddress— forwarding configuration changesSoftDeleteandHardDelete— messages the attacker removedUserLoggedIn— mailbox access events
Avoid overly narrow date or keyword filters at the start. Cast a wide net to capture the full attack timeline before narrowing focus.
Message Trace Analysis
Use the Message Trace tool in the Defender portal to verify exactly what emails were sent from the compromised account during the suspected window. This is critical because attackers frequently delete sent items to cover their tracks. Message trace data exists independently of the mailbox.
During your trace review, focus on:
- Confirming recipients of all outbound emails during the suspected window
- Identifying BEC messages directed at finance, HR, or vendor contacts
- Flagging high-volume external sends that fall outside the user's normal patterns
PowerShell Inbox Rule and Forwarding Review
The standard Outlook and OWA interfaces don't always surface attacker-created rules prominently. Run Get-InboxRule to see all rules and check these properties specifically:
RedirectToForwardToForwardAsAttachmentToDeleteMessage
Any rule with an external address in these fields — especially one created recently or at an unusual hour — warrants immediate investigation.
Inbox rules aren't the only forwarding vector. Attackers also configure forwarding directly at the mailbox level, which won't appear in rule exports. Run Get-Mailbox and check ForwardingSmtpAddress and ForwardingAddress. Any non-blank external address requires immediate remediation — disable it and preserve the value for your investigation record.
Step-by-Step Response to M365 Email Compromise
Step 1 — Contain the Account Immediately
Disable the compromised account in Entra ID, or reset the password with a strong, unique credential if disabling isn't immediately feasible. One critical rule: never send the new credentials via email. If the attacker still has session access, they'll see it.
Step 2 — Revoke All Active Sessions
A password reset alone is insufficient. Existing session tokens remain valid until explicitly revoked, meaning an attacker with a cached token stays in the account. Run Revoke-MgUserSignInSession to invalidate all refresh tokens and force reauthentication across every active session.
Password reset + session revocation together close the attacker's access. Either one alone leaves a gap.
Step 3 — Audit and Remove Attacker Persistence
Work through this checklist systematically:
- Remove unrecognized MFA devices and authentication methods
- Revoke unauthorized third-party application consents (OAuth apps the attacker may have added)
- Review and remove any admin roles assigned to the account during the compromise window
- Delete all attacker-created inbox rules
- Remove unauthorized forwarding from both inbox rules and mailbox-level settings
Step 4 — Investigate Scope and Notify Affected Parties
Map the full attacker timeline: which emails were read, what files were accessed in SharePoint or OneDrive, whether downstream accounts received phishing messages from the compromised account, and whether any financial transfers were initiated.
For organizations facing financial fraud, legal exposure, or regulatory obligations, this forensic work requires more than an internal IT review. Prudential Associates' incident response team (holding GCIH, GCFA, CISSP, and more than 30 professional credentials) uses digital forensics methods and law enforcement investigative experience to build defensible evidentiary timelines.
Those timelines are built for a purpose: supporting insurance claims, regulatory reporting, and litigation.
After Containment Is Complete
Once the investigation concludes:
- Re-enable the account with MFA enforced before the user logs back in
- Remove the user from the Restricted Entities list if Microsoft blocked outbound sending
- Document every remediation action taken — what was found, what was removed, what was changed, and when
Cyber insurers, regulators, and opposing counsel will all request this documentation. Prudential Associates delivers formal forensic reports that meet evidentiary standards, maintaining chain of custody from collection through analysis.
Hardening Your M365 Environment Against Future Attacks
Enforce MFA — and Block Legacy Authentication
MFA is the most effective single control against credential-based compromise. Microsoft's own research found MFA blocks over 99.9% of account compromise attacks. CISA states it makes accounts 99% less likely to be hacked.
But MFA only works when it can't be bypassed. Legacy authentication protocols (SMTP AUTH, IMAP, POP3) don't support modern MFA and give attackers a way around it. CISA explicitly recommends disabling legacy authentication when it isn't needed. For admin accounts, go further: implement phishing-resistant MFA using FIDO2 security keys or certificate-based authentication.
Implement Email Authentication and Restrict Forwarding
Conditional Access policies are the enforcement layer here. Configure them to evaluate device compliance, user location, and risk signals before granting access — a sign-in from an unmanaged device in an unexpected country should trigger step-up authentication or be blocked outright.
Pair that with least-privilege access across SharePoint, administrative consoles, and sensitive data stores. A compromised standard user account should have a limited reach by design. Contain the blast radius before an incident, not after.
For organizations that need continuous visibility into sign-in anomalies, inbox rule changes, and privilege escalation, Prudential Associates offers managed detection and response services backed by over 50 years of security experience and a CrowdStrike partnership.
Frequently Asked Questions
How do you detect business email compromise?
BEC detection requires monitoring Entra sign-in logs for unusual activity, reviewing inbox rules for external forwarding or deletion behavior, checking outbound message trace data, and auditing mailbox forwarding settings. Standard spam filters miss most BEC because the emails originate from legitimate compromised accounts.
How can you prevent a business email compromise attack?
Three prevention layers form the core defense:
- Enforce MFA, with phishing-resistant options required for administrators
- Configure SPF, DKIM, and DMARC to block domain spoofing
- Train employees to verify any unusual financial request through a separate channel before acting
What is an example of a business email compromise attack?
An attacker compromises a CFO's M365 account, monitors it silently for two weeks, then sends a wire transfer request during a known vendor payment cycle — from the CFO's real address. Every authentication check passes because the email came from the legitimate account.
How common is business email compromise?
The FBI's 2025 Internet Crime Report recorded 24,768 BEC complaints and $3.04 billion in losses — ranking it among the costliest cybercrime categories year after year. It affects organizations of every size across every industry, not just large enterprises.
What are the warning signs of a compromised Microsoft 365 account?
Top signals include inbox rules the user didn't create, MFA methods or devices the user doesn't recognize, sign-ins from unexpected geographic locations, and the mailbox being blocked by Microsoft from sending outbound email.
What should I do immediately after discovering a BEC attack?
Disable or lock the compromised account, then run Revoke-MgUserSignInSession to invalidate all active tokens. Password reset alone isn't sufficient. If a fraudulent wire transfer was initiated, contact your bank immediately — recovery windows close quickly.
