Business Email Compromise Response
Phase 1 — Immediate Containment (Do First)
| # | Action | Details |
|---|---|---|
| 1 | Block Sign-In | Disable the compromised user account immediately. This is preferred and highly recommended until the investigation is complete. |
| 2 | Revoke All Sessions | Revoke all active sessions to immediately invalidate any access using stolen credentials. |
| 3 | Reset Password | Reset to a strong, unique password. Do NOT send the new password via email — the attacker may still have mailbox access. Communicate out-of-band (phone, Teams, in-person). |
Phase 2 — Investigation
4. Check Inbox Rules & Mail Forwarding
- Go to Microsoft Purview at purview.microsoft.com
- Select Audit → New Search
- Under Activities, select:
new-inboxrule,set-inboxrule,updateinboxrules - Set the User to the compromised account
- Expected result: Total results should be 0. Any results require review.
5. Check Audit Logs for Device Registration
- Review audit logs to see if any devices were registered to the compromised user during the compromise window.
6. Review MFA Methods
- Check if new MFA authentication methods were enabled.
- Identify and remove any suspicious devices added by the attacker.
- Ensure any unrecognized MFA methods are removed.
7. Check for App Registrations
- Check for App Registrations that may have been created and tied to the user's account.
- Remove and revoke any applications that shouldn't be allowed.
8. Review Administrative Roles
- Review the administrative roles assigned to the user.
- Remove any roles that shouldn't be allowed.
9. Review Mail Forwarders
- Remove any suspicious mailbox forwarding the attacker added.
- Check these mailbox properties via PowerShell:
Get-Mailbox -Identity <UPN> | Format-List Forwarding*Address,DeliverTo*
- ForwardingAddress — nonblank = email forwarded to internal recipient
- ForwardingSmtpAddress — nonblank = email forwarded to external recipient
- DeliverToMailboxAndForward — True = delivered AND forwarded; False = forwarded only
Also check Inbox rules:
Get-InboxRule -Mailbox <UPN> -IncludeHidden | Format-List Name,Enabled,RedirectTo,Forward*,Identity
CIPP Shortcut (Recommended)
If using CIPP, navigate to the user's profile and use the Compromise Remediation page:
- Review IoC Indicators: CIPP automatically checks Mailbox Rules, Recently Added Users, New Applications, Mailbox Permission Changes, MFA Devices, and Password Changes.
- Click "Remediate User" — this will:
- Block user sign-in
- Reset the user's password
- Disconnect all current sessions
- Remove all MFA methods
- Disable all inbox rules
- Disable OneDrive sharing
- Generate PDF Report — creates a report with investigation data and user education notes.
- Download JSON — saves raw analysis data for documentation.
Phase 3 — Post-Remediation
| Action | Owner | Priority | Timeline |
|---|---|---|---|
| Re-enable MFA (phishing-resistant preferred) | SOC | Top Priority | Immediate |
| Communicate new credentials to user (out-of-band) | SOC / Helpdesk | Top Priority | Immediate |
| Review Sent Items & Deleted Items for attacker activity | SOC | High | Same day |
| Notify affected internal/external recipients if BEC emails were sent | Account Manager | High | Same day |
| Document incident & generate CIPP PDF report | SOC | Medium | Within 48hrs |
| User education / phishing awareness follow-up | Operations | Medium | Near-term |
Key Indicators of Compromise (IoC) to Watch
- Suspicious Inbox rules (auto-forward to unknown addresses, move to Notes/Junk/RSS folders)
- Suspicious messages in Sent Items or Deleted Items
- Changes to the user's contact in the Global Address List (GAL)
- Frequent password changes or unexplained account lockouts
- Recently added external email forwarding
- New MFA devices or authentication methods
- New Enterprise App registrations
- Suspicious email signatures (fake banking, prescription drug, etc.)