Cloud based email open on PC Education

As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with some common cyber security tasks, applicable to CISOs through to SOC analysts.

I also want to highlight one of the most common incident types if you are an Office 365 customer is a business email compromise scenario, so I’ve put together a high level view of the steps you might want to take after a BEC event is discovered:

Business Email Compromise (BEC) Checklist

What is Business Email Compromise?

Business Email Compromise (BEC) is a type of cyberattack where a threat actor gains unauthorized access to a business email account or impersonates a legitimate user to deceive employees, customers, or partners into performing actions such as transferring funds, sharing sensitive information, or approving fraudulent transactions. BEC attacks often exploit phishing, social engineering, or compromised credentials to manipulate victims. These attacks can result in significant financial losses, data breaches, and reputational damage.

Responding to a BEC incident requires a structured approach to isolate the threat, contain the damage, and eradicate the attacker’s access. The following checklist outlines critical steps to mitigate a BEC incident, with explanations for why each step is necessary.

BEC Incident Response Checklist

1. ISOLATE

Why: Isolation prevents the threat actor from further interacting with the compromised account or network, limiting their ability to cause additional harm, such as sending fraudulent emails or accessing sensitive data.

  • Immediately suspend or disable the compromised account to block further access.
  • Isolate the affected device(s) from the network to prevent lateral movement by the attacker.
  • Notify the IT/security team to monitor for related suspicious activity across other accounts or systems.

2. CONTAIN

Why: Containment limits the scope of the attack by removing the threat actor’s access points and configurations, ensuring they cannot maintain persistence or escalate their attack.

  • Change the Password: Reset the password of the compromised account to a strong, unique password. This revokes the attacker’s ability to log in using stolen credentials.
  • Reset Sessions: Force a sign-out of all active sessions for the account. This terminates any active connections the threat actor may have, including those from unrecognized devices.
  • Remove Threat Actor-Added MFA Registrations: Review and remove any unauthorized Multi-Factor Authentication (MFA) methods added by the attacker. This prevents the attacker from bypassing new passwords using their own MFA tokens.
  • Remove Mailbox Delegations: Check for and remove any unauthorized mailbox delegations that allow the attacker to access or control the compromised account indirectly through another account.
  • Remove Mailbox Rules: Delete any suspicious email rules (e.g., forwarding rules or rules that move emails to hidden folders) created by the attacker to hide their activities or maintain access to communications.

3. ERADICATE

Why: Eradication ensures that all traces of the attacker’s presence are removed from the environment, preventing future unauthorized access or data exfiltration.

  • Enable Litigation Hold: Activate Litigation Hold on the affected mailbox to preserve all emails and data for forensic analysis and potential legal action. This ensures no evidence is lost during the investigation.
  • Review Enterprise Application Registrations: Audit all enterprise applications connected to the account and disable any unauthorized applications or integrations added by the threat actor. This prevents the attacker from using these applications to regain access or extract data.
  • Conduct a full scan of the affected device(s) and network for malware or other persistence mechanisms.
  • Verify that all unauthorized configurations (e.g., API tokens, OAuth consents) have been revoked.

4. ASSESS IMPACT

Why: Assessing the impact involves reviewing actions taken by the threat actor, such as sending fraudulent emails, sharing sensitive files, or modifying collaborative resources like OneNote. This step helps identify the scope of the compromise, mitigate further damage, and gather evidence for investigation or notification requirements.

  • Check Sent Emails: Review the “Sent Items” folder and email logs to identify any unauthorized emails sent by the threat actor, such as fraudulent requests for funds or phishing attempts.
    • Contact Recipients: Notify recipients of suspicious emails to warn them not to act on fraudulent requests, click on links, open attachments, or share sensitive information. Provide clear instructions to report any related suspicious activity to the IT/security team.
  • Review Shared Files: Audit file-sharing platforms (e.g., OneDrive, SharePoint) for files shared, modified, or downloaded by the compromised account. Check sharing permissions and revoke unauthorized access to sensitive documents.
  • Inspect OneNote and Collaborative Tools: Examine OneNote notebooks, Microsoft Teams channels, or other collaborative tools linked to the account for unauthorized changes, data exfiltration, or embedded malicious content. Restore or secure affected resources as needed.
  • Check Email Attachments and Links: Analyze sent emails for attachments or links that may have been used to distribute malware or phishing content, and take steps to block or warn recipients.

Additional Recommendations

  • Notify affected stakeholders (e.g., employees, customers, or partners) about the breach to prevent further exploitation, such as responding to fraudulent emails.
  • Conduct a forensic investigation to determine the attack’s entry point and scope, which can help prevent future incidents.
  • Train employees on recognizing phishing attempts and securing their accounts with strong passwords and MFA.
  • Implement advanced email security measures, such as DMARC, SPF, and DKIM, to reduce the risk of email spoofing.
  • Complete the Incident Response (IR) process, including:
    • Impact Analysis: Assess the full scope of the breach, including financial losses, data exposure, and operational disruptions.
    • Regulator Notification: Report the incident to relevant regulatory authorities as required by laws such as GDPR, CCPA, or industry-specific regulations.
    • Supply Chain Notification: Inform partners, vendors, or clients who may have been affected or targeted through compromised communications.
    • Additional Hardening: Implement enhanced security measures, such as stricter access controls, endpoint detection, or network segmentation, to prevent recurrence.
    • Lessons Learned: Document findings, review the response process, and update policies and training to improve future incident handling.

By following this checklist, organizations can effectively respond to a BEC incident, minimize damage, and strengthen their defenses against future attacks.

A key thing many orgs seem to miss is:

  • Prepare and Prevent, you can take steps (and probably more than you realise to prevent BEC
  • Response should include reporting and lessons learned

Prevent is always simpler than Respond! But if you do have an incident, it’s really wise to learn from it, not just in the IT team/Security team but also with the leadership team and wider business!

«
»

Related articles

Copyright (c) Xservus Limited