Business Email Compromise Response

Phase 1 — Immediate Containment (Do First)

# Action Details
1 Block Sign-In Disable the compromised user account immediately. This is preferred and highly recommended until the investigation is complete.
2 Revoke All Sessions Revoke all active sessions to immediately invalidate any access using stolen credentials.
3 Reset Password Reset to a strong, unique password. Do NOT send the new password via email — the attacker may still have mailbox access. Communicate out-of-band (phone, Teams, in-person).

Phase 2 — Investigation

4. Check Inbox Rules & Mail Forwarding

  • Go to Microsoft Purview at purview.microsoft.com
  • Select Audit → New Search
  • Under Activities, select: new-inboxruleset-inboxruleupdateinboxrules
  • Set the User to the compromised account
  • Expected result: Total results should be 0. Any results require review.

5. Check Audit Logs for Device Registration

  • Review audit logs to see if any devices were registered to the compromised user during the compromise window.

6. Review MFA Methods

  • Check if new MFA authentication methods were enabled.
  • Identify and remove any suspicious devices added by the attacker.
  • Ensure any unrecognized MFA methods are removed.

7. Check for App Registrations

  • Check for App Registrations that may have been created and tied to the user's account.
  • Remove and revoke any applications that shouldn't be allowed.

8. Review Administrative Roles

  • Review the administrative roles assigned to the user.
  • Remove any roles that shouldn't be allowed.

9. Review Mail Forwarders

  • Remove any suspicious mailbox forwarding the attacker added.
  • Check these mailbox properties via PowerShell:
Get-Mailbox -Identity <UPN> | Format-List Forwarding*Address,DeliverTo*
  • ForwardingAddress — nonblank = email forwarded to internal recipient
  • ForwardingSmtpAddress — nonblank = email forwarded to external recipient
  • DeliverToMailboxAndForward — True = delivered AND forwarded; False = forwarded only

Also check Inbox rules:

Get-InboxRule -Mailbox <UPN> -IncludeHidden | Format-List Name,Enabled,RedirectTo,Forward*,Identity

CIPP Shortcut (Recommended)

If using CIPP, navigate to the user's profile and use the Compromise Remediation page:

  1. Review IoC Indicators: CIPP automatically checks Mailbox Rules, Recently Added Users, New Applications, Mailbox Permission Changes, MFA Devices, and Password Changes.
  2. Click "Remediate User" — this will:
    • Block user sign-in
    • Reset the user's password
    • Disconnect all current sessions
    • Remove all MFA methods
    • Disable all inbox rules
    • Disable OneDrive sharing
  3. Generate PDF Report — creates a report with investigation data and user education notes.
  4. Download JSON — saves raw analysis data for documentation.

Phase 3 — Post-Remediation

Action Owner Priority Timeline
Re-enable MFA (phishing-resistant preferred) SOC Top Priority Immediate
Communicate new credentials to user (out-of-band) SOC / Helpdesk Top Priority Immediate
Review Sent Items & Deleted Items for attacker activity SOC High Same day
Notify affected internal/external recipients if BEC emails were sent Account Manager High Same day
Document incident & generate CIPP PDF report SOC Medium Within 48hrs
User education / phishing awareness follow-up Operations Medium Near-term

Key Indicators of Compromise (IoC) to Watch

  • Suspicious Inbox rules (auto-forward to unknown addresses, move to Notes/Junk/RSS folders)
  • Suspicious messages in Sent Items or Deleted Items
  • Changes to the user's contact in the Global Address List (GAL)
  • Frequent password changes or unexplained account lockouts
  • Recently added external email forwarding
  • New MFA devices or authentication methods
  • New Enterprise App registrations
  • Suspicious email signatures (fake banking, prescription drug, etc.)

Article Details

Article ID:
40
Views:
5
Rating (Votes):
(0)

Related articles