Business Email Compromise (BEC) Response and Investigation

Our experts have honed every step of the investigative process and created unique tools for multiple platforms to deliver timely and defensible answers for BEC challenges—from misdirected payments to the compromise of sensitive data or unauthorized access to the greater network environment. 

What is Business Email Compromise?

Business email compromise is the unauthorized access to one or more mailboxes by a threat actor. Threat actors have historically performed BEC attacks in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account. While financial fraud is still a primary goal, actors are increasingly evolving BEC attacks to gain greater access—from exploring connected SharePoint, OneDrive and Teams areas to pivoting to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data. 

Common BEC Attack Vectors and Mitigation Steps

BEC attacks most commonly begin with a phishing email message that contains a malicious attachment or layered redirect links to credential harvesting websites. In recent years, Kroll has observed threat actors evolving their tactics to include:

• Phishing via voicemail (vishing) and text message (smishing)
• Multi-factor authentication (MFA) prompt bombing or MFA fatigue
• Adversary-in-the-middle (AiTM) phishing campaigns where threat actors can steal passwords and hijack active user sessions even with MFA enabled.
• Leveraging passwords exposed in an unrelated third-party breach, especially in the case of credential reuse (the habit of using the same or similar password for multiple accounts)
• Exploiting software vulnerabilities to include those in Microsoft Exchange servers 
• Exploiting access gained in a ransomware attack to compromise email accounts
• Exfiltrating and deleting cloud data and then ransoming to not release the stolen information

Recently, Kroll experts demonstrated an evolution in threat actor tactics by using the data transfer program Rclone via a compromised M365 account to download a massive number of files from SharePoint—all without remote access to a host. This new tactic, M365 Theft/Extortion, follows a similar threat actor pattern commonly seen in more traditional incident response type matters.

Kroll offers a number of solutions in order to protect your organization from falling victim to a business email compromise attack: 

Full Service BEC Investigations 

Our forensic investigators and analysts can do a full tenant review, including full log analysis where Kroll reviews for suspicious activity related to previously identified indicators of compromise (IOC), as well as foreign logins or access to mailboxes within an email environment, Enterprise mail rule review and a detailed forensic report.

Fixed Fee BEC Solution 

Our experts have created an efficient, budget-friendly automated tool that provides a simplified report of the investigative findings. This tool will answer key questions to help determine the extent of the compromise on an effected account/tenant. 

Kroll is a Recognized Global Leader in Business Email Compromise Investigations

Our experts are well-equipped to help you during every step of a BEC investigation. Kroll forensic investigators possess industry-leading forensic training and certifications, including GCFE, CFCE and GCFA, and extensive knowledge of email systems, including Microsoft Azure, Microsoft 365, Exchange and many APIs that can greatly expedite the investigation and uncover hard-to-spot activity. Kroll’s team consists of hundreds of examiners based in more than 16 countries across five continents and can meet varying needs for geographical-based legal requirements for client data storage, as well as residency requirements for examiners handling sensitive data. 

Our team also has litigation support expertise, including several Relativity certifications and global forensic labs, so we can more efficiently and quickly perform managed mailbox review. Additionally, we work closely with 60+ cyber insurance carriers and hundreds of law firms so investigations are protected and move seamlessly. 

Read more business email compromise case studies from our library to see our experts in action.

Take the Proactive Step – Business Email Compromise Prevention and Monitoring

In order to best prepare your organization against a BEC attack, Kroll experts can perform email and cloud security assessments to help harden mailboxes, assist with cloud system configuration and monitoring, and conduct simulated phishing attacks to help educate your staff. Additionally, Kroll Responder provides managed detection and response (MDR) monitoring for Office 365 to flag any suspicious behavior as well as ingest mail logs and survey for malicious activity. 

Business Email Compromise Response via a Retainer 

BEC can often be one aspect of a deeper compromise and may require deeper incident response, litigation support and even data breach notification support. Kroll clients can package full service or fixed fee BEC solutions with Kroll’s Cyber Risk Retainer, which gives you prioritized access to elite investigators and flexibility to allocate incident response resources as well as all other cybersecurity solutions offered by Kroll.