Business Email Compromise (BEC) is a type of cybersecurity attack where attackers impersonate a trusted party (such as the CEO) via fraudulent email, often leading to unauthorized fund transfers, payroll fraud, or exposure of sensitive information. BEC continues to be the most financially devastating cybercrime, with global losses surpassing $50 billion since 2013 and nearly $3 billion reported in the United States in 2023, according to the FBI.
Unlike broad phishing campaigns, BEC attacks are typically targeted, subtle, and driven by social engineering. The primary goal is to manipulate employees, often those in finance, human resources, or executive roles, into transferring money or disclosing confidential data under false pretenses.
In this blog, we walk through a practical, technical workflow for investigating a suspected BEC incident using real world telemetry such as email headers, authentication logs, file access, and behavioral signals.
A BEC investigation typically starts when an anomaly is observed. Common triggers include:
Pro tip: Always retrieve the original email directly from the user’s mailbox using your email platform’s message trace or eDiscovery tools. Avoid relying on emails that have been forwarded to IT or security teams. Forwarded messages often strip or reformat critical metadata, including:
Received
: header chain that reveals hop-by-hop mail server routing.SPF
, DKIM
, and DMARC
verdicts.X-MS-Exchange-CrossTenant-AuthAs
or X-Google-DKIM-Signature
, which can provide insights into the sending infrastructure.Losing these details can significantly reduce your ability to confirm spoofing, domain misalignment, or message tampering. In forensic investigations, always preserve the message in its original form, ideally as an .eml
or .msg
file, before beginning deeper analysis.
Start by collecting the full raw headers of the original email. Focus on the following components:
This should align with the sender’s domain. A mismatch between the visible “From” address and the Return-Path
may indicate spoofing. For example, an email claiming to be from ceo@company.com
but with a Return-Path
of ceo@externaldomain.io
is suspicious.
SPF verifies whether the sending IP address is authorized to send on behalf of the domain in the Return-Path. A proper SPF record is configured in the DNS TXT record of the domain, and looks like this:
PASS
: The sender IP is authorized.FAIL
: The IP is not authorized. Investigate further.SOFTFAIL
or NEUTRAL
: These may still allow spoofed emails to pass depending on the receiving mail server’s policy.DKIM ensures the integrity of the email content and verifies it was not modified in transit. It uses a cryptographic signature tied to the sender’s domain. The public key is published in DNS, and the mail server signs the message with the private key.
DMARC aligns SPF and/or DKIM with the domain in the “From” address and tells the recipient how to handle failures. The record is published in DNS as:
p=reject
tells recipients to reject emails that fail alignment.p=quarantine
places them in the spam folder.p=none
allows delivery but logs the incident.Example Findings from a Suspicious Email:
Interpretation: SPF
fails, DMARC
is not defined, and DKIM
passes. Because DMARC is absent, there is no policy enforcing alignment, making this message more likely to be fraudulent. SPF failure is a key indicator that the IP is spoofed.
Determine whether the email originated from a legitimate source or was designed to impersonate one. BEC attacks often leverage one of the following methods:
micros0ft.com
instead of microsoft.com
(digit 0 instead of letter o)rnicrosoft.com
instead of microsoft.com
(r and n together appear like m)support-cornpany.com
where "cornpany" uses an r
and n
instead of m
аррӏе.com
(using Cyrillic characters) looks nearly identical to apple.com
but represents different Unicode code points. While it appears the same to most users, it points to a completely different destination on the internet.Since the Domain Name System (DNS) supports only ASCII characters, these Unicode domains are encoded into an ASCII-compatible format called Punycode. This conversion allows the domain to be resolved by DNS servers even though it contains non-ASCII characters. For example:
When viewed at the DNS or network layer, you see the Punycode version (xn--80ak6aa92e.com
), not the Unicode domain.
To detect potential homograph domains, you can decode Punycode back to its Unicode form using tools or scripts. Below is a simple Python example using the built-in IDNA codec:
This process reveals the exact Unicode characters used, enabling analysts to identify visually deceptive characters that bypass simple string comparisons.
Action points:
idna
decoding tools to inspect Punycode-encoded domains and reveal Unicode spoofing.Once you suspect a BEC attack, it is critical to analyze behavioral telemetry and authentication logs to confirm account compromise or malicious activity. Common data sources include:
Look for suspicious sign-in activity including:
Such anomalies can indicate credential theft, session hijacking, or use of automated tools.
Inbox or mail flow rules are a favorite tactic for attackers who have compromised a mailbox. These rules enable persistent control and stealthy exfiltration. Common malicious mailbox rules include:
Example of a suspicious mailbox rule JSON snippet:
Such a rule silently forwards critical financial communications to the attacker, enabling them to intercept invoice requests or payment instructions.
BEC attacks frequently exploit weaknesses or gaps in business workflows. As part of your investigation, validate whether the suspicious communication aligns with established business procedures and logic. Key questions to consider:
To identify deviations, compare the suspicious request against trusted baselines such as vendor master data, procurement approval flows, payment request forms, and historical email templates. Any deviation from these established norms should raise suspicion and be treated as a potential manipulation vector.
If the investigation confirms mailbox compromise, expand your scope to assess the attacker’s lateral movement, persistence, and data exfiltration capabilities:
Indicators of lateral movement or persistence may include:
Based on your findings, execute an appropriate containment strategy:
To reduce risk and strengthen defenses, implement the following best practices:
Business Email Compromise is less about malware and more about deception, social engineering, and exploiting trust within organizations. Effective investigation demands not only technical expertise analyzing telemetry and authentication data but also a solid understanding of business context and communication patterns.
A layered defense combining strong technical controls, user education, and clear financial policies is your best strategy to prevent and detect these attacks early.
Business Email Compromise is a targeted cyberattack where threat actors impersonate a trusted party—like a CEO or vendor—via email to trick employees into transferring money or sharing sensitive data. These attacks rely heavily on social engineering and are typically difficult to detect because they mimic normal business communication.
While phishing is often broad and generic, BEC attacks are targeted, context-aware, and involve impersonation of known individuals or organizations. BEC relies more on deception and psychological manipulation than malicious links or attachments.
Early signs of BEC include vague or urgent emails from executives, unexpected requests to change payment instructions, and detection alerts such as mailbox rule changes or logins from unusual locations. Suspicious sender domains and missing or failing email authentication (SPF, DKIM, DMARC) are also key indicators.
To investigate a BEC email, start by retrieving the original message—not a forwarded copy—and analyze the full headers, including Return-Path and authentication results. You should also review behavioral signals like login anomalies, mailbox rules, and OAuth token activity to identify compromise or intent.
Authentication logs from identity providers like Azure AD or Okta, audit trails from email platforms like Microsoft 365, and SIEM alerts are essential for confirming BEC compromise. Look for MFA bypasses, unusual IP logins, and the creation of inbox rules that enable stealthy access.
Yes, once an account is compromised, attackers often move laterally by messaging other employees or accessing shared resources. Analysts should check for unauthorized OAuth grants, credential reuse, and mailbox exports that may indicate data theft or persistence.
Key BEC prevention measures include enforcing multi-factor authentication, blocking external email forwarding, deploying DMARC with a reject policy, and educating users on how to verify unusual requests. Monitoring login patterns and mailbox rule changes also helps detect attacks early.
SOC teams that implement structured BEC detection and investigation workflows often see a reduction in dwell time and mean time to respond (MTTR). Faster containment of mailbox compromises reduces financial risk and limits potential data exposure.