Business Email Compromise (BEC) rarely starts with a dramatic ransomware note or a flashing warning on a workstation. It often starts quietly: a successful login, a new inbox rule, a forwarding change, or a few minutes of mailbox browsing before the attacker sends phishing emails from a trusted account.
That quiet window matters. Before the compromised user blasts a phishing message to their contacts list, there are usually several opportunities to detect and stop the attack.
For small and midsize businesses, this is where a managed service provider (MSP) should add real value: not just cleaning up after the damage, but watching for the attacker’s setup activity while the attack is still in progress.
What BEC Looks Like in Real Life
A common BEC incident follows a pattern like this:
- A user enters credentials into a fake Microsoft 365 or Google Workspace login page.
- The attacker signs in from an unusual location, device, browser, or session.
- The attacker reviews the mailbox to understand relationships, invoices, vendors, and recent conversations.
- The attacker creates a forwarding rule, inbox rule, or delegate permission to maintain visibility.
- The attacker hides security warnings, bouncebacks, or replies by moving or deleting messages automatically.
- The attacker sends phishing or payment-fraud emails from the victim’s real account.
By the time customers, vendors, or employees report suspicious messages, the attack has already moved from account compromise to abuse of trust.
Our goal is to catch the activity between steps two and five, before the compromised account becomes a launchpad.
Mapping BEC to MITRE ATT&CK
The MITRE ATT&CK framework is useful because it breaks attacker behavior into recognizable tactics and techniques. In BEC cases, the most important question is not simply, “Did someone send a phishing email?” It is, “What did the attacker do before that email went out?”
Here are common BEC behaviors we monitor for:
| BEC behavior | MITRE ATT&CK technique | Missed opportunity |
|---|---|---|
| Successful sign-in with stolen credentials | Valid Accounts: Cloud Accounts | No alert on unusual login source, impossible travel, new device, or suspicious session |
| Password guessing or credential stuffing attempts | Brute Force: Password Spraying | Repeated failed logins across users were treated as noise |
| User tricked by a fake login page | Phishing | The original credential theft was not blocked, reported, or investigated |
| Attacker creates external forwarding | Email Collection: Email Forwarding Rule | Mailbox forwarding was allowed without alerting or review |
| Attacker creates rules to hide warnings or replies | Hide Artifacts: Email Hiding Rules | Inbox rules moving, deleting, or marking messages as read were not reviewed |
| Attacker grants mailbox access to another account | Account Manipulation: Additional Email Delegate Permissions | Delegate access was added without administrative approval |
| Attacker weakens authentication controls | Modify Authentication Process: Multi-Factor Authentication | Multi-Factor Authentication (MFA) changes were not monitored |
| Attacker sends phishing from the real mailbox | Phishing | Outbound sending anomalies were noticed only after recipients complained |
Not every BEC incident includes every technique. But when several of these events occur in a short period, they create a strong signal that the account is not just compromised—it is being actively prepared for abuse.
Missed Opportunities Before the Phish Goes Out
The most frustrating part of many BEC investigations is that the warning signs were already present.
A suspicious login alone may not prove compromise. A new inbox rule alone may be legitimate. A user sending more email than usual may have a business explanation.
But when those events stack together, the story changes.
Common missed opportunities include:
- A new sign-in from an unfamiliar country, region, network, or device
- A successful login shortly after multiple failed login attempts
- New inbox rules with keywords like “phish,” “spam,” “invoice,” “payment,” “security,” “alert,” or “undeliverable”
- Rules that automatically delete, archive, mark as read, or move messages
- External forwarding to a personal email address or unknown domain
- New mailbox delegation or “send as” permissions
- MFA method changes shortly before suspicious mailbox activity
- Large outbound email volume from a user who normally sends very little
- Messages sent to many external recipients in a short period
- Replies or bouncebacks disappearing from the user’s inbox
These are the moments where monitoring matters. The attacker is still setting the stage. The business still has time to stop the blast radius.
How We Detect BEC in Progress
Our approach is to look for behavior, not just known-bad links or malware attachments.
BEC often uses legitimate tools: a real mailbox, a real login session, built-in forwarding, normal inbox rules, and trusted business relationships. That means traditional antivirus alone is not enough.
We focus on several layers of detection.
Identity and Sign-In Monitoring
We watch for unusual access patterns, including new locations, new devices, suspicious autonomous system numbers, impossible travel, and sign-ins that do not match a user’s normal behavior.
For cloud email platforms, identity is the new perimeter. When an attacker has valid credentials, the login may look technically successful, but the surrounding context can still be suspicious.
Mailbox Rule and Forwarding Review
Inbox rules are one of the clearest signs of active BEC preparation.
Attackers often create rules to hide security alerts, move replies out of sight, delete warnings, or forward mail externally. A rule that silently moves messages containing words like “fraud,” “wire,” “invoice,” or “phishing” deserves attention.
We monitor for rule creation, rule modification, external forwarding, and unusual mailbox permission changes.
MFA and Permission Change Alerts
MFA helps reduce account takeover risk, but it also becomes a target after compromise.
A sudden MFA method change, new authenticator app, added phone number, or change to conditional access behavior should not be ignored. The same applies to mailbox delegation and elevated permissions.
When authentication or permissions change unexpectedly, we treat that as a potential persistence attempt.
Outbound Email Anomaly Detection
If a user normally sends 20 emails a day and suddenly sends 500 external messages in ten minutes, that should trigger investigation.
Outbound monitoring helps catch the final stage of BEC: the moment the compromised account is used to spread phishing, invoice fraud, or credential theft. The earlier layers are designed to stop the attack before this point, but outbound anomaly detection provides an important safety net.
How We Shut It Down
When BEC indicators appear, speed matters. A good response process is simple, documented, and practiced before the incident happens.
A typical containment workflow includes:
- Disable or block the suspicious session
- Reset the user’s password
- Revoke active refresh tokens and cloud sessions
- Review and remove malicious inbox rules
- Remove unauthorized forwarding
- Review delegate permissions and mailbox access
- Verify MFA methods and remove attacker-added methods
- Check sent items, deleted items, archive folders, and hidden folders
- Search for similar indicators across other mailboxes
- Notify affected contacts if phishing messages were sent
The goal is not just to recover the one mailbox. The goal is to understand whether the attacker touched other accounts, established persistence, or used the mailbox to target customers, vendors, or employees.
What Business Leaders Should Ask Their MSP
BEC defense is not only a technical issue. It is an operational risk issue.
If your business relies on email for invoices, approvals, vendor communication, HR, or customer support, ask your MSP these questions:
- Do we alert on external forwarding and suspicious inbox rules?
- Do we review mailbox delegation and “send as” permissions?
- Do we monitor for unusual sign-ins and suspicious sessions?
- Do we receive alerts when MFA methods change?
- Do we have an incident response checklist for BEC?
- Can we quickly revoke sessions and remove malicious mailbox rules?
- Do we monitor outbound email spikes from compromised users?
- Do we have a process to notify contacts if a mailbox sends phishing?
A business does not need to become a security operations center to reduce BEC risk. But it does need the right visibility, the right alerts, and a response process that does not start after the damage is done.
Stop BEC Before It Becomes a Customer-Facing Incident
Business Email Compromise succeeds because it abuses trust. Once an attacker controls a real mailbox, every customer, vendor, and employee connected to that account can become the next target.
The best time to catch BEC is before the phishing blast: when the attacker logs in, changes mailbox settings, creates hiding rules, forwards mail, or modifies account access.
If you want to know whether your Microsoft 365 or Google Workspace environment is being monitored for these warning signs, contact Collett Systems through our contact page. You can also learn more about our security-focused managed IT services at managed IT services.
Check your domain's email trust score
Free 60-second tool — see how your SPF, DKIM, and DMARC look to recipients.