This run book provides standardized response procedures for Business Email Compromise (BEC) incidents in Microsoft 365 environments. It is intended for technical responders to ensure rapid containment, evidence preservation, and recovery.
Incident Type: Business Email Compromise (BEC)
Risk Level: High
Primary Impact Areas:
- Unauthorized mailbox access
- Credential compromise
- Lateral movement via email
- Fraud, data exfiltration, persistence via mailbox rules or OAuth apps
Common Indicators of BEC
- Suspicious email forwarding rules
- MFA push fatigue or MFA bypass
- OAuth app consent
- Login activity from unfamiliar IPs or geolocations
- User reports emails sent they did not author
⚠️ These steps should be completed as soon as BEC is confirmed or strongly suspected.
- Reset the user’s password
- Force password reset with strong, unique password
- Revoke all active sessions
- This includes browser, mobile, and legacy authentication tokens
- Reset MFA
- Remove existing authentication methods
- Re-enroll user in MFA after remediation
Technician Notes
- Password resets alone do NOT invalidate active tokens
- Session revocation is mandatory
- MFA “Reset” ≠ MFA “Re-register”
Review sign-in activity around the suspected compromise window:
- Unknown IP addresses
- Risky sign-ins
- Legacy authentication usage
- Impossible travel scenarios
- Review Entra ID / Azure AD → Devices
- Look for:
- New devices registered near compromise time
- Azure AD–joined or registered devices you do not recognize
- Remove any suspicious devices
Technician Notes
- Attackers frequently register their own device to retain access even after password reset
- Pay special attention to “Azure AD Registered” devices
- Review Enterprise Applications assigned or consented to the user
- Look for:
- Recently added applications
- Apps with
Mail.Read, Mail.ReadWrite, or offline_access
- Remove unauthorized or suspicious apps
- Verify whether the user consented to any OAuth apps during the incident window
Technician Notes
- OAuth apps survive password resets
- Very common BEC persistence mechanism
(PowerShell examples assume Exchange Online PowerShell)
# Inbox Rules Review
Get-InboxRule -Mailbox [email protected]
# Mailbox Forwarding
Get-Mailbox [email protected] | Select ForwardingSmtpAddress
# Mailbox Permissions
Get-MailboxPermission [email protected]
# Message Trace
Get-MessageTrace -SenderAddress [email protected]
- Review all mailbox rules
- Look for:
- Auto-forwarding
- Hidden rules (mark as read, move to RSS)
- Remove all malicious rules
- Check:
- Mailbox-level forwarding
- Transport rules (admin-level)
- Disable unauthorized forwarding immediately
- Review for:
- Fraud attempts
- Lateral phishing
- External recipients
📌 Collect logs BEFORE making major changes when possible.
⚠️ Do NOT delete mailbox rules or OAuth apps until logs are collected unless immediate fraud is ongoing.
Use the Microsoft Purview Unified Audit Log to review the following activities:
New-InboxRule / Set-InboxRule / Remove-InboxRuleMailItemsAccessed- Add delegated permission grant or app consent events
- Password and MFA changes
Required Logs
- Sign-In Logs
- Filter by user and date range
- Audit Logs
- Password resets
- MFA changes
- App consent events
- Mailbox permission changes
Optional (If Available)
- Risky Sign-Ins (Entra ID P2)
- Unified Audit Log
- Mailbox audit logs:
- Rule creation/modification
- Mailbox permission changes
- Message trace for:
- Suspicious outbound emails
- External forwarding
If applicable:
- SentinelOne
- Login events
- Device compromise indicators
- Duo
- MFA approval attempts
- MFA fatigue activity
Technician Notes
- Export logs in native format when possible (CSV/JSON)
- Preserve original timestamps and time zones
- Store evidence read-only
- Search for similar IOC activity across other users
- Look for:
- Same IPs
- Same OAuth apps
- Identical mailbox rules
- Notify internal stakeholders
- Alert finance or executive teams if fraud was attempted
- Prepare user-facing explanation and guidance
- Review phishing indicators
- Reinforce MFA best practices
- Confirm no password reuse across services
- Disable legacy authentication
- Require MFA for all users
- Conditional Access:
- Block risky geolocations
- Device compliance requirements
- Restrict OAuth app consent
- Enable alerting for:
- New inbox rules
- External forwarding
- OAuth app consent
- Risky sign-ins