Business Email Compromise used to be relatively straightforward to describe: a phishing email, stolen credentials, an urgent wire transfer request. Security teams knew what to look for. Detection logic was written accordingly.
That version of BEC still exists. But the attacks causing the most damage today look nothing like it.
Modern BEC campaigns are built around a simple insight: in large enterprises, hundreds of legitimate actions happen every hour that would each look suspicious if examined in isolation. Users authenticate from new devices. Mailbox rules get created. Files get shared with external partners. Each event generates an alert somewhere. Each alert gets triaged (often independently, and across different tools and consoles) and frequently gets closed or downgraded because nothing about it, on its own, crosses a clear threshold.
Attackers know this. They have adapted accordingly.
Instead of executing a single dramatic action that triggers an immediate high-severity alert, today's threat actors string together a sequence of individually low-risk activities; each one defensible in isolation, each one a step toward the same objective. By the time the relationship between those activities becomes visible, the window for early containment has often already closed.
This is the operational gap that modern Business Email Compromise is built to exploit. And it is precisely the gap this investigation exposed.
The incident documented here unfolded within a single working morning. It began with a successful login and ended with confirmed containment 39 minutes later. In between, a threat actor executed a coordinated account takeover across infrastructure spanning two continents and nearly every individual action appeared legitimate until viewed together.
The attack played out in two phases, separated deliberately by geography.
At 09:02, the compromised corporate account authenticated successfully using valid credentials. The login originated from a hosting provider IP address in the United States, infrastructure with no relationship to the user's normal login history.
Valid credentials mean no authentication failure. No blocked sign-in. No MFA challenge triggered. From the perspective of any individual identity tool, this was a successful login.
Three minutes later, at 09:05, the attacker created mailbox rules designed specifically to suppress visibility. Rules were configured to hide security notifications, suppress account activity alerts, and redirect or delete specific categories of incoming email. The objective was clear: ensure the legitimate account owner would not notice their account was being actively used by someone else.
Individually, inbox rule creation is one of the most common administrative actions in any Microsoft 365 environment. Thousands of legitimate rules are created daily. This one mapped directly to MITRE T1114.003 (Email Collection: Email Forwarding Rule) but without correlation context, it registered as a medium-priority alert at best.
Sixteen minutes after the initial login, at 09:18, activity originating from the same compromised identity appeared again — this time from cloud infrastructure in Japan.
Same account. Different continents. Sixteen-minute gap.
The attacker initiated unauthorized external sharing of a sensitive corporate document, routing the transfer through Asia-Pacific cloud infrastructure. The action mapped to T1567 (Exfiltration Over Web Services) and T1537 (Transfer Data to Cloud Account).
Viewed as a standalone file-sharing event, it looked like routine business collaboration. The file went to an external recipient. Users share files externally hundreds of times a day.
Viewed alongside the United States authentication and the mailbox rule manipulation that preceded it, the picture was entirely different.
Each of the three core events: authentication from anomalous infrastructure, mailbox rule creation, external file sharing; generated an alert in at least one security tool. The authentication anomaly was flagged based on infrastructure deviation from the user's established login pattern. The inbox rule modification surfaced as a behavioral indicator consistent with defense evasion. The file-sharing event registered as an anomalous external collaboration activity.
Three separate alerts. Three separate consoles. Each one, independently, a low-to-medium severity signal that a busy analyst might reasonably deprioritize during a normal morning.
What no individual tool could determine on its own was whether these three events were connected.
The geographic separation was deliberate. The United States and the Japan activity appearing under the same identity within 16 minutes of each other is not a normal human behavior pattern. But recognizing that required watching the same identity across both environments simultaneously and noticing the temporal relationship between events. That is exactly what a correlation engine is built to do. And precisely what siloed, per-product alerting cannot.
Rather than routing the three alerts to separate analyst queues, Netenrich Agentic SOC correlated them automatically across identity, authentication, and collaboration telemetry; treating them as a single investigation rather than independent incidents.
The correlation engine analyzed:
At 09:22 (four minutes after the Japan file-sharing event): The Agentic SOC correlation engine linked the events into a unified attack narrative. At 09:25, a critical incident was automatically generated and surfaced to analysts with the full attack chain already assembled: the compromised account, the attacker's distributed infrastructure, the malicious mailbox modifications, and the targeted corporate asset.
Analysts did not need to pivot across consoles. They did not need to manually reconstruct the sequence. They received a single high-confidence incident enriched with behavioral evidence, geographic context, and MITRE ATT&CK technique mappings; everything needed to make an immediate containment decision.
At 09:41, containment actions were executed. Total time from initial compromise to mitigation: 39 minutes.
| Time | Activity |
|---|---|
| 09:02 | Account authenticated from hosting provider IP, US |
| 09:05 | Malicious inbox rules created, security notifications suppressed |
| 09:18 | Sensitive corporate file shared externally from Japan |
| 09:22 | Agentic SOC correlation engine linked events into unified attack chain |
| 09:25 | Critical incident automatically generated and surfaced |
| 09:41 | Containment actions executed |
The Netenrich AI Investigator automatically performed a contextual business email compromise investigation across multiple evidence dimensions, including:
No single finding confirmed the compromise. Confidence built because each new piece of evidence reinforced the previous one.
The authentication pattern deviated from the user's established baseline. Mailbox rules changed within three minutes of access being established, a timeline consistent with an attacker moving to cover their tracks before the account owner noticed. External sharing activity followed shortly afterward, originating from a second geographic location under the same identity.
Combined, the evidence established a clear and coherent attack progression consistent with Business Email Compromise: unauthorized access via valid credentials (T1078), defense evasion through mailbox rule manipulation (T1114.003), and exfiltration preparation via external file sharing (T1567, T1537).
The incident was classified as a confirmed Business Email Compromise, not because one alert crossed a critical threshold, but because the combined evidence told a story that could not be explained by coincidence.
Once the compromise was confirmed, the investigation informed an immediate set of containment and remediation actions. These are applicable broadly to any confirmed BEC incident:
Speed matters here. Every minute between confirmed compromise and credential reset is a minute the attacker retains active access.
The operational lesson from this investigation is not that BEC attacks are impossible to detect. It is that they are designed to be invisible to tools that evaluate events independently.
Three observations are worth carrying forward.
Business Email Compromise has evolved alongside the cloud platforms that modern enterprises depend on. Attackers understand that compromising a trusted identity often provides faster access to sensitive business information than any technical exploit. They also understand that most organizations still investigate authentication events, mailbox activity, and collaboration behavior in separate tools, on separate timelines, by separate teams.
Closing that gap does not require replacing every security tool in the stack. It requires embedding automated, ai-driven business email compromise detection that connects identity activity across those tools in real time — recognizing when independent events belong to the same investigation, and surfacing that relationship to analysts before the attacker completes the objective.
In this case, the difference between a successful breach and a contained incident came down to 39 minutes and the ability to treat five low-severity signals as one high-confidence attack.
Most organizations already collect the telemetry that would have detected this attack: authentication logs, email activity, collaboration events, identity behavior data. The question is whether those signals can be connected quickly enough to expose an active compromise before the attacker achieves their objective.
Reviewing how your security operations correlate identity activity across authentication, email, and collaboration platforms is often the fastest way to identify where investigation gaps exist and where an attacker could move undetected.
Engage with Netenrich today to map your identity attack surface, test your detection coverage against real BEC scenarios, and understand whether your current operations could have caught this attack in 39 minutes or would still be investigating it now.
Tired of distributed identity threats slipping through separate security consoles? Deploy a Netenrich Agentic SOC in 30 Days to achieve real-time cross-tool correlation, eliminate manual triage gaps, and complete triage within 3-minutes.