Business Email Compromise response playbook

Business Email Compromise (BEC) is one of the most common — and damaging — attack patterns against Microsoft 365 tenants. An attacker compromises a user's mailbox, monitors their email for context, then impersonates them (or a related party) to defraud the organisation or its partners. Wire transfers, fake invoices, credential phishing of colleagues — all classic BEC outcomes.

When a BEC is confirmed, fast response is everything.

Containment (first 30 minutes)

Revoke the user's session tokens immediately — Revoke-MgUserSignInSession in PowerShell, or via Entra ID admin centre.
Reset the user's password to a strong unique value the user doesn't yet know.
Disable the user's account temporarily.
Disable any forwarding rules the attacker may have created — check Get-InboxRule and Get-Mailbox -Identity user -Forwarding*.
Disable any newly added authentication methods — attackers register their own Authenticator app or FIDO key.
Check for delegate permissions added to the mailbox.
Check for OAuth app consent grants by the user — Get-MgUserOauth2PermissionGrant. Attackers often grant a malicious app broad Graph permissions.

If you have Defender XDR Automatic Attack Disruption enabled, much of this happens automatically.

Investigation (first 24 hours)

Establish scope:

When did the compromise start? Search Sign-in logs for first suspicious sign-in (different country, anonymous IP, unusual user agent).
What did the attacker do? Review Mailbox audit logs, Unified Audit Log, Message Trace.
Who else has been emailed from the compromised mailbox? Sent items, sent-as patterns.
Has any wire transfer been requested? Check finance team for in-flight payments referencing the compromised user.
Are there other compromised mailboxes? Check related accounts that received "credential reset" emails or similar.
Did the attacker move laterally? Look for sign-ins to other users from same IPs.

The Threat Explorer in Defender for Office 365 P2 and Advanced Hunting in Defender XDR are the right tools.

Communications

Notify the user that their account was compromised.
Notify the user's contacts if any phishing or fraudulent mails were sent from the compromised account.
Notify finance if any fraudulent transfer requests went out — try to recall payments still in flight.
Notify legal / compliance / regulators if the breach falls under notification requirements.

Remediation

Once contained and investigated:

Re-enable the user with strong unique password and MFA enforced.
Re-register MFA methods with the user present.
Force re-sign-in on all their devices.
Revoke any malicious OAuth consents.
Recall any phishing emails sent from the account using Defender for Office 365 Soft Delete or AIR.
Review and remove any malicious shared mailbox / delegate permissions added.

Prevention

After the incident, harden against the next one:

Phishing-resistant MFA (FIDO2, passkeys) for high-risk roles — finance, executives, anyone with payment authority.
Conditional Access blocking sign-ins from unexpected countries.
Token protection to prevent token replay attacks.
Defender for Office 365 P2 for Attack Simulation Training and AIR.
Tighter user consent policies — limit which OAuth scopes users can consent to.
Disable legacy authentication completely if not already done.
DMARC at p=reject to prevent spoof of your domain.
Sender authentication in transport rules — flag emails where reply-to differs from from.
Finance procedure changes — out-of-band confirmation for any wire transfer request.

Lessons

BEC incidents are rarely "we couldn't have prevented this." They're usually "we had the tools but hadn't enabled them yet." Post-incident, the most valuable thing is a realistic gap analysis — what would have prevented this specific attack chain. Roll out those controls; document the playbook; train the team for the next one.