Incident Response Workflow: Business Email Compromise.
The email came from a real mailbox.
The signature looked right. The tone sounded familiar. The request was urgent, but believable.
A bank account had changed. An invoice needed paying. The finance team almost approved it.
Agent Foskett knew this was not just an email investigation. Business Email Compromise is an identity, mailbox and fraud investigation wrapped inside a message that looks normal.
Lesson overview
Learn how to investigate Business Email Compromise by correlating Microsoft Defender XDR, Exchange Online, Microsoft Entra ID, mailbox activity, suspicious email behaviour and incident response actions.
Why Business Email Compromise matters
The BEC incident response workflow
Step 1 — Find the reported message
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let SubjectKeyword = "bank account";
EmailEvents
| where Timestamp > ago(TimeFrame)
| where Subject has SubjectKeyword
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
DeliveryLocation,
NetworkMessageId
| order by Timestamp descStep 2 — Identify all recipients
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let SuspiciousSubject = "updated bank details";
EmailEvents
| where Timestamp > ago(TimeFrame)
| where Subject has SuspiciousSubject
| summarize Recipients = make_set(RecipientEmailAddress, 100),
MessageCount = count(),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by SenderFromAddress,
SenderMailFromAddress,
Subject,
DeliveryAction
| order by MessageCount descStep 3 — Review sign-ins for the sender mailbox
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 14d;
let SenderAccount = "executive@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ SenderAccount
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
Location,
DeviceName,
FailureReason
| order by Timestamp ascStep 4 — Look for inbox rules and mailbox manipulation
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let MailboxUser = "executive@contoso.com";
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName has MailboxUser or AccountId has MailboxUser
| where ActionType has_any ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules", "MailItemsAccessed", "Send", "Forward")
| project Timestamp,
AccountDisplayName,
ActionType,
Application,
IPAddress,
DeviceType,
RawEventData
| order by Timestamp descStep 5 — Correlate BEC activity with Defender alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
let TimeFrame = 14d;
let AccountsOfInterest = dynamic(["executive@contoso.com", "finance@contoso.com"]);
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where AccountName in~ (AccountsOfInterest)
or AccountUpn in~ (AccountsOfInterest)
| project Timestamp,
AlertId,
AccountName,
AccountUpn,
EntityType,
EvidenceRole,
DeviceName,
RemoteIP
| order by Timestamp descStep 6 — Build the BEC timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let UserToInvestigate = "executive@contoso.com";
let IdentityTimeline =
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| project Timestamp, EventType = "Identity", Account = AccountUpn, Detail = strcat(ActionType, " from ", IPAddress, " ", Location);
let MailTimeline =
EmailEvents
| where Timestamp > ago(TimeFrame)
| where SenderFromAddress =~ UserToInvestigate
| project Timestamp, EventType = "Email", Account = SenderFromAddress, Detail = strcat("Sent to ", RecipientEmailAddress, " | ", Subject);
union IdentityTimeline, MailTimeline
| order by Timestamp ascCommon BEC investigation clues
Containment and remediation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Incident Response Workflow Business Email Compromise in Microsoft Defender XDR
Agent Foskett Academy Lesson 112 teaches defenders how to investigate Business Email Compromise using Microsoft Defender XDR, Exchange Online, Microsoft Entra ID, mailbox telemetry, identity signals and KQL workflows.
Learn BEC investigation with KQL and Microsoft Defender XDR
Business Email Compromise investigations require analysts to validate suspicious messages, review sender identity, inspect mailbox activity, check inbox rules, review OAuth apps and contain compromised accounts.
Microsoft 365 Business Email Compromise incident response tutorial
This lesson explains how to investigate fraudulent payment requests, compromised mailboxes, suspicious sign-ins, mailbox forwarding, OAuth persistence and Defender XDR evidence during BEC incidents.
