Categories
The 39-Minute Investigation: How Five Low-Severity Alerts Became a Confirmed Account Takeover
Published on July 8, 2026 | Last updated on July 8, 2026 | 7 min read
What Security Leaders Need to Know
- Siloed alerts create structural blind spots. Modern BEC attacks distribute activity across multiple tools and geographies. Individual events appear legitimate in isolation — the attack only becomes visible when signals are correlated across identity, authentication, and collaboration layers simultaneously.
- Geography is a high-confidence detection signal. An account authenticating from the United States and sharing files from Japan within 16 minutes is not a policy violation — it is a behavioral impossibility. Cross-geography identity correlation is one of the strongest BEC indicators available, and most organizations are not acting on it.
- AI-driven correlation changes the math on containment. Human-speed triage cannot keep pace with distributed, multi-cloud threats. In this investigation, automated correlation across five low-severity signals produced a confirmed, critical-severity incident (and containment) in 39 minutes.
When attackers split their footprint across two continents, no single alert tells the full story.
BEC Has Outgrown the Phishing Email
Business Email Compromise used to be relatively straightforward to describe: a phishing email, stolen credentials, an urgent wire transfer request. Security teams knew what to look for. Detection logic was written accordingly.
That version of BEC still exists. But the attacks causing the most damage today look nothing like it.
Modern BEC campaigns are built around a simple insight: in large enterprises, hundreds of legitimate actions happen every hour that would each look suspicious if examined in isolation. Users authenticate from new devices. Mailbox rules get created. Files get shared with external partners. Each event generates an alert somewhere. Each alert gets triaged (often independently, and across different tools and consoles) and frequently gets closed or downgraded because nothing about it, on its own, crosses a clear threshold.
Attackers know this. They have adapted accordingly.
Instead of executing a single dramatic action that triggers an immediate high-severity alert, today's threat actors string together a sequence of individually low-risk activities; each one defensible in isolation, each one a step toward the same objective. By the time the relationship between those activities becomes visible, the window for early containment has often already closed.
This is the operational gap that modern Business Email Compromise is built to exploit. And it is precisely the gap this investigation exposed.
The Attack: Two Continents, 39 Minutes
The incident documented here unfolded within a single working morning. It began with a successful login and ended with confirmed containment 39 minutes later. In between, a threat actor executed a coordinated account takeover across infrastructure spanning two continents and nearly every individual action appeared legitimate until viewed together.
The attack played out in two phases, separated deliberately by geography.
.png?width=802&height=437&name=image%20(36).png)
Phase 1 — Account Compromise and Defense Evasion (United States)
At 09:02, the compromised corporate account authenticated successfully using valid credentials. The login originated from a hosting provider IP address in the United States, infrastructure with no relationship to the user's normal login history.
Valid credentials mean no authentication failure. No blocked sign-in. No MFA challenge triggered. From the perspective of any individual identity tool, this was a successful login.
Three minutes later, at 09:05, the attacker created mailbox rules designed specifically to suppress visibility. Rules were configured to hide security notifications, suppress account activity alerts, and redirect or delete specific categories of incoming email. The objective was clear: ensure the legitimate account owner would not notice their account was being actively used by someone else.
Individually, inbox rule creation is one of the most common administrative actions in any Microsoft 365 environment. Thousands of legitimate rules are created daily. This one mapped directly to MITRE T1114.003 (Email Collection: Email Forwarding Rule) but without correlation context, it registered as a medium-priority alert at best.
Phase 2 — Exfiltration Preparation (Japan)
Sixteen minutes after the initial login, at 09:18, activity originating from the same compromised identity appeared again — this time from cloud infrastructure in Japan.
Same account. Different continents. Sixteen-minute gap.
The attacker initiated unauthorized external sharing of a sensitive corporate document, routing the transfer through Asia-Pacific cloud infrastructure. The action mapped to T1567 (Exfiltration Over Web Services) and T1537 (Transfer Data to Cloud Account).
Viewed as a standalone file-sharing event, it looked like routine business collaboration. The file went to an external recipient. Users share files externally hundreds of times a day.
Viewed alongside the United States authentication and the mailbox rule manipulation that preceded it, the picture was entirely different.
Why Individual Alerts Failed Where Correlation Succeeded

Each of the three core events: authentication from anomalous infrastructure, mailbox rule creation, external file sharing; generated an alert in at least one security tool. The authentication anomaly was flagged based on infrastructure deviation from the user's established login pattern. The inbox rule modification surfaced as a behavioral indicator consistent with defense evasion. The file-sharing event registered as an anomalous external collaboration activity.
Three separate alerts. Three separate consoles. Each one, independently, a low-to-medium severity signal that a busy analyst might reasonably deprioritize during a normal morning.
What no individual tool could determine on its own was whether these three events were connected.
The geographic separation was deliberate. The United States and the Japan activity appearing under the same identity within 16 minutes of each other is not a normal human behavior pattern. But recognizing that required watching the same identity across both environments simultaneously and noticing the temporal relationship between events. That is exactly what a correlation engine is built to do. And precisely what siloed, per-product alerting cannot.
How the Netenrich Agentic SOC Connected the Chain

Rather than routing the three alerts to separate analyst queues, Netenrich Agentic SOC correlated them automatically across identity, authentication, and collaboration telemetry; treating them as a single investigation rather than independent incidents.
The correlation engine analyzed:
- Identity relationships: All three events shared the same compromised account
- Temporal proximity: The sequence from login to rule creation to external share spanned just 16 minutes
- Geographic anomalies: The United States and the Japan activity on the same identity within the same session window
- Behavioral sequence: The pattern matched known BEC tactics, specifically the T1078 → T1114.003 → T1567 progression
- Risk score aggregation: Individually low-to-medium signals, combined into a critical-severity incident
At 09:22 (four minutes after the Japan file-sharing event): The Agentic SOC correlation engine linked the events into a unified attack narrative. At 09:25, a critical incident was automatically generated and surfaced to analysts with the full attack chain already assembled: the compromised account, the attacker's distributed infrastructure, the malicious mailbox modifications, and the targeted corporate asset.
Analysts did not need to pivot across consoles. They did not need to manually reconstruct the sequence. They received a single high-confidence incident enriched with behavioral evidence, geographic context, and MITRE ATT&CK technique mappings; everything needed to make an immediate containment decision.
At 09:41, containment actions were executed. Total time from initial compromise to mitigation: 39 minutes.
| Time | Activity |
|---|---|
| 09:02 | Account authenticated from hosting provider IP, US |
| 09:05 | Malicious inbox rules created, security notifications suppressed |
| 09:18 | Sensitive corporate file shared externally from Japan |
| 09:22 | Agentic SOC correlation engine linked events into unified attack chain |
| 09:25 | Critical incident automatically generated and surfaced |
| 09:41 | Containment actions executed |
What the Investigation Established
The Netenrich AI Investigator automatically performed a contextual business email compromise investigation across multiple evidence dimensions, including:
- Authentication source verification
- Geolocation anomaly analysis
- Infrastructure reputation analysis
- Historical user behavior baseline review
- Mailbox rule integrity inspection
- External file-sharing activity assessment
No single finding confirmed the compromise. Confidence built because each new piece of evidence reinforced the previous one.
The authentication pattern deviated from the user's established baseline. Mailbox rules changed within three minutes of access being established, a timeline consistent with an attacker moving to cover their tracks before the account owner noticed. External sharing activity followed shortly afterward, originating from a second geographic location under the same identity.
Combined, the evidence established a clear and coherent attack progression consistent with Business Email Compromise: unauthorized access via valid credentials (T1078), defense evasion through mailbox rule manipulation (T1114.003), and exfiltration preparation via external file sharing (T1567, T1537).
The incident was classified as a confirmed Business Email Compromise, not because one alert crossed a critical threshold, but because the combined evidence told a story that could not be explained by coincidence.
Recommended Containment Actions: How to Prevent Business Email Compromise
Once the compromise was confirmed, the investigation informed an immediate set of containment and remediation actions. These are applicable broadly to any confirmed BEC incident:
- Reset credentials for the affected account immediately
- Revoke active sessions, and all authentication tokens and refresh tokens
- Review and remove unauthorized mailbox rules created during the compromise window
- Audit external file-sharing activity for potential data exposure or phishing distribution
- Validate MFA integrity, confirm no unauthorized authenticators or bypass methods were added
- Investigate related authentication events, determine whether any other accounts share behavioral patterns with the compromised identity
- Review recent administrative changes associated with the affected account
Speed matters here. Every minute between confirmed compromise and credential reset is a minute the attacker retains active access.
What This Means for Security Operations
The operational lesson from this investigation is not that BEC attacks are impossible to detect. It is that they are designed to be invisible to tools that evaluate events independently.
Three observations are worth carrying forward.
- Identity is now the primary attack surface - Attackers increasingly begin with valid credentials rather than malware or infrastructure exploitation. Once authenticated, they operate using the same collaboration tools and cloud services trusted by legitimate users. The attack surface is not a network perimeter — it is an identity.
- Individual alerts rarely tell the complete story - Mailbox rule manipulation, authentication anomalies, and external file-sharing events may each appear benign in isolation. The significance emerges only when evaluated together, in sequence, against a behavioral baseline.
- Correlation reduces analyst burden, not just detection gaps - The value of automated correlation is not simply finding more incidents. It is reducing the time analysts spend determining whether alerts are related. In this investigation, analysts received a fully assembled attack narrative rather than three disconnected medium-severity tickets. That difference, between assembling context and receiving it, is what makes 39-minute mitigation possible.
Conclusion: The Faster the Correlation, the Smaller the Window
Business Email Compromise has evolved alongside the cloud platforms that modern enterprises depend on. Attackers understand that compromising a trusted identity often provides faster access to sensitive business information than any technical exploit. They also understand that most organizations still investigate authentication events, mailbox activity, and collaboration behavior in separate tools, on separate timelines, by separate teams.
Closing that gap does not require replacing every security tool in the stack. It requires embedding automated, ai-driven business email compromise detection that connects identity activity across those tools in real time — recognizing when independent events belong to the same investigation, and surfacing that relationship to analysts before the attacker completes the objective.
In this case, the difference between a successful breach and a contained incident came down to 39 minutes and the ability to treat five low-severity signals as one high-confidence attack.
Take the Next Step
Most organizations already collect the telemetry that would have detected this attack: authentication logs, email activity, collaboration events, identity behavior data. The question is whether those signals can be connected quickly enough to expose an active compromise before the attacker achieves their objective.
Reviewing how your security operations correlate identity activity across authentication, email, and collaboration platforms is often the fastest way to identify where investigation gaps exist and where an attacker could move undetected.
Engage with Netenrich today to map your identity attack surface, test your detection coverage against real BEC scenarios, and understand whether your current operations could have caught this attack in 39 minutes or would still be investigating it now.
Shift Your SOC into High Gear
Tired of distributed identity threats slipping through separate security consoles? Deploy a Netenrich Agentic SOC in 30 Days to achieve real-time cross-tool correlation, eliminate manual triage gaps, and complete triage within 3-minutes.
About the Author
Suma Ballal
Suma Ballal is a Product Manager at Netenrich focused on building advanced Agentic SOC solutions that help organizations proactively detect, investigate, and respond to cyber threats. Drawing on a background in software engineering, quality leadership, and agile product management, she bridges technical depth with product strategy to deliver scalable, AI-driven security solutions.
Prior to Netenrich, she spent over seven years at RSA Security driving operational excellence across software development and quality engineering initiatives. She is passionate about leveraging AI, automation, and data-driven security operations to improve detection efficacy, accelerate threat investigations, and help security teams stay ahead of an evolving threat landscape.
Related Articles
Subscribe for updates
The best source of information for Agentic SOC and Cyber Risk Operations best practices. Join us.


