Managed IT • Commercial Security Cameras • Cybersecurity • WiFi • Northern Michigan
833-787-2487support@northern-pc.com
Microsoft 365 Security Guide

Business Email Compromise

Business email compromise is one of the most damaging Microsoft 365 risks because attackers can use trusted mailboxes to steal money, data, and credentials.

Email Is a Financial Risk

A compromised mailbox can be used to redirect payments, impersonate employees, and attack customers or vendors.

  • Credential theft
  • Invoice fraud
  • Mailbox rule abuse

Business Email Compromise Defined

Business email compromise, often shortened to BEC, is a fraud technique where attackers use email to trick a business into sending money, changing payment instructions, revealing sensitive information, or trusting a false request. Sometimes the attacker compromises a real mailbox. Other times they impersonate a vendor, executive, employee, or customer.

Microsoft 365 is a common target because a mailbox contains context. Attackers can read old messages, learn vendor names, see invoice patterns, and craft messages that sound believable.

How BEC Usually Starts

  • A user enters their password on a fake Microsoft sign-in page
  • An attacker logs in from a new location
  • The attacker creates hidden forwarding or inbox rules
  • The attacker monitors vendor or billing conversations
  • A payment change or wire request is sent
  • The victim trusts the email because it appears to come from a known person

Mailbox Rules Are a Major Clue

Attackers often create mailbox rules to hide evidence. Rules may move messages to RSS feeds, archive folders, deleted items, or obscure folders. They may forward copies to an outside address. Reviewing mailbox rules is an important step after any suspected compromise.

Why MFA Helps

MFA makes it harder for attackers to use stolen passwords. It does not stop every phishing technique, but it dramatically improves the baseline. Administrator accounts and high-risk users should be especially protected.

Financial Procedures Matter

Technology alone cannot stop every payment scam. Businesses should verify payment changes through a known phone number, not by replying to the email. Staff should be trained to treat urgent wire transfers, gift card requests, payroll changes, and vendor banking changes as high-risk.

What to Check After a Suspected Compromise

  • Reset the password
  • Revoke active sessions
  • Confirm MFA methods
  • Review sign-in logs
  • Check mailbox forwarding
  • Inspect inbox rules
  • Review sent and deleted items
  • Notify affected contacts if fraudulent emails were sent
  • Review payments and vendor communication
  • Document the incident

Frequently Asked Questions

What is business email compromise?

Business email compromise is an attack where criminals use email deception or compromised mailboxes to trick a business into sending money, changing payment instructions, or exposing sensitive information.

Is business email compromise the same as phishing?

Phishing is often the method used to steal credentials, while business email compromise is the broader fraud that may happen after an account is compromised or impersonated.

What are common signs of mailbox compromise?

Signs include suspicious forwarding rules, unexpected sent mail, login alerts, impossible travel sign-ins, vendor payment changes, password reset emails, and messages the user did not send.

Can MFA prevent business email compromise?

MFA reduces the risk of account takeover, but businesses also need user training, mailbox rule monitoring, payment verification procedures, and security review.

What should a business do after an email account is compromised?

Change passwords, revoke sessions, review MFA, inspect mailbox rules, check sent/deleted items, notify affected parties, review financial exposure, and document the incident.

Need Help Securing Microsoft 365?

Northern Computer Services helps Northern Michigan businesses configure Microsoft 365, protect accounts, manage licensing, secure email, and plan backup.