Tag Archives: business email compromise

Methodology: MailItemsAccessed-Based Investigation for BEC in Microsoft 365

Posted on by
Reply

When your organization faces a business-email compromise (BEC) incident, one of the hardest questions is: “What did the attacker actually read or export?” Conventional logs often show only sign-ins or outbound sends, but not the depth of mailbox item access. The MailItemsAccessed audit event in Microsoft 365 Unified Audit Log (UAL) brings far more visibility — if configured correctly. This article outlines a repeatable, defensible process for investigation using that event, from readiness verification to scoping and reporting.

Objective

Provide a repeatable, defensible process to identify, scope, and validate email exposure in BEC investigations using the MailItemsAccessed audit event.

Phase 1 — Readiness Verification (Pre-Incident)

Before an incident hits, you must validate your logging and audit posture. These steps ensure you’ll have usable data.

1. Confirm Licensing

  • Verify your tenant’s audit plan under Microsoft Purview Audit (Standard or Premium).

    • Audit (Standard): default retention 180 days (previously 90).

    • Audit (Premium): longer retention (e.g., 365 days or more), enriched logs.

  • Confirm that your license level supports the MailItemsAccessed event. Many sources state this requires Audit Premium or an E5-level compliance add-on.

2. Validate Coverage

  • Confirm mailbox auditing is on by default for user mailboxes. Microsoft states this for Exchange Online.

  • Confirm that MailItemsAccessed is part of the default audit set (or if custom audit sets exist, that it’s included). According to Microsoft documentation: the MailItemsAccessed action “covers all mail protocols … and is enabled by default for users assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 licence.”

  • For tenants with customised audit sets, ensure the Microsoft defaults are re-applied so that MailItemsAccessedisn’t inadvertently removed.

3. Retention & Baseline

  • Record what your current audit-log retention policy is (e.g., 180 days vs 365 days) so you know how far back you can search.

  • Establish a baseline volume of MailItemsAccessed events—how many are generated from normal activity. That helps define thresholds for abnormal behaviour during investigation.

Phase 2 — Investigation Workflow (During Incident)

Once an incident is underway and you have suspected mailboxes, follow structured investigation steps.

1. Identify Affected Accounts

From your alarm sources (e.g., anomalous sign-in alerts, inbound or outbound rule creation, unusual inbox rules, compromised credentials) compile a list of mailboxes that might have been accessed.

2. Extract Evidence

In the Purview portal → Audit → filter for Activity = MailItemsAccessed, specifying the time range that covers suspected attacker dwell time.
Export the results to CSV via the Unified Audit Log.

3. Correlate Access Sessions

Group the MailItemsAccessed results by key session indicators:

  • ClientIP

  • SessionId

  • UserAgent / ClientInfoString

Flag sessions that show:

  • Unknown or non-corporate IP addresses (e.g., external ASN)

  • Legacy protocols (IMAP, POP, ActiveSync) or bulk-sync behaviour

  • User agents indicating automated tooling or scripting

4. Quantify Exposure

  • Count distinct ItemIds and FolderPaths to determine how many items and which folders were accessed.

  • Look for throttling indicators (for example more than ~1,000 MailItemsAccessed events in 24 h for a single user may indicate scripted or bulk access).

  • Use the example KQL queries below (see Section “KQL Example Snippets”).

5. Cross-Correlate with Other Events

  • Overlay these results with Send audit events and InboxRule/New-InboxRule events to detect lateral-phish, rule-based fraud or data-staging behaviour.

  • For example, access events followed by mass sends indicate attacker may have read and then exfiltrated or used the account for fraud.

6. Validate Exfil Path

  • Check the client protocol used by the session. If the client is REST API, bulk sync or legacy protocol, that may indicate the attacker is exfiltrating rather than simply reading.

  • If MailItemsAccessed shows items accessed using a legacy IMAP/POP or ActiveSync session — that is a red flag for mass download.

Phase 3 — Analysis & Scoping

Once raw data is collected, move into analysis to scope the incident.

1. Establish Attack Session Timeline

  • Combine sign-in logs (from Microsoft Entra ID Sign‑in Logs) with MailItemsAccessed events to reconstruct dwell time and sequence.

  • Determine when attacker first gained access, how long they stayed, and when they left.

2. Define Affected Items

  • Deliver an itemised summary (folder path, count of items, timestamps) of mailbox items accessed.

  • Limit exposure claims to the items you have logged evidence for — do not assume access of the entire mailbox unless logs show it (or you have other forensic evidence).

3. Corroborate with Throttling and Send Events

  • If you see unusual high-volume access plus spike in Send events or inbox rule changes, you can conclude automated or bulk access occurred.

  • Document IOCs (client IPs, session IDs, user-agent strings) tied to the malicious session.

Phase 4 — Reporting & Validation

After investigation you report findings and validate control-gaps.

1. Evidence Summary

Your report should document:

  • Tenant license type and retention (Audit Standard vs Premium)

  • Audit coverage verification (mailbox auditing enabled, MailItemsAccessed present)

  • Affected item count, folder paths, session data (IPs, protocol, timeframe)

  • Indicators of compromise (IOCs) and signs of mass or scripted access

2. Limitations

Be transparent about limitations:

  • Upgrading to Audit Premium mid-incident will not backfill missing MailItemsAccessed data for the earlier period. Sources note this gap.

  • If mailbox auditing or default audit-sets were customised (and MailItemsAccessed omitted), you may lack full visibility. Example commentary notes this risk.

3. Recommendations

  • Maintain Audit Premium licensing for at-risk tenants (e.g., high-value executive mailboxes or those handling sensitive data).

  • Pre-stage KQL dashboards to detect anomalies (e.g., bursts of MailItemsAccessed, high counts per hour or per day) so you don’t rely solely on ad-hoc searches.

  • Include audit-configuration verification (licensing, mail-audit audit-set, retention) in your regular vCISO or governance audit cadence.

KQL Example Snippets

 
// Detect burst read activity per IP/user
AuditLogs
| where Operation == "MailItemsAccessed"
| summarize Count = count() by UserId, ClientIP, bin(TimeGenerated, 1h)
| where Count > 100

// Detect throttling patterns (scripted or bulk reads)
AuditLogs
| where Operation == "MailItemsAccessed"
| summarize TotalReads = count() by UserId, bin(TimeGenerated, 24h)
| where TotalReads > 1000

MITRE ATT&CK Mapping

Tactic Technique ID
Collection Email Collection T1114.002
Exfiltration Exfiltration Over Web Services T1567.002
Discovery Cloud Service Discovery T1087.004
Defense Evasion Valid Accounts (Cloud) T1078.004

These mappings illustrate how MailItemsAccessed visibility ties directly into attacker-behaviour frameworks in cloud email contexts.

Minimal Control Checklist

  •  Verify Purview Audit plan and retention

  •  Validate MailItemsAccessed events present/searchable for a sample of users

  •  Ensure mailbox auditing defaults (default audit-set) restored and active

  •  Pre-stage anomaly detection queries / dashboards for mailbox-access bursts

Conclusion

When investigating a BEC incident, possession of high-fidelity audit data like MailItemsAccessed transforms your investigation from guesswork into evidence-driven clarity. The key is readiness: licence appropriately, validate your coverage, establish baselines, and when a breach occurs follow a structured workflow from extraction to scoping to reporting. Without that groundwork your post-incident forensics may hit blind spots. But with it you increase your odds of confidently quantifying exposure, attributing access and closing the loop.

Prepare, detect, dissect—repeatably.

References

  1. Microsoft Learn: Manage mailbox auditing – “Mailbox audit logging is turned on by default in all organizations.”

  2. Microsoft Learn: Use MailItemsAccessed to investigate compromised accounts – “The MailItemsAccessed action … is enabled by default for users that are assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 license.”

  3. Microsoft Learn: Auditing solutions in Microsoft Purview – licensing and search prerequisites.

  4. Office365ITPros: Enable MailItemsAccessed event for Exchange Online – “Purview Audit Premium is included in Office 365 E5 and … Audit (Standard) is available to E3 customers.”

  5. TrustedSec blog: MailItemsAccessed woes – “According to Microsoft, this event is only accessible if you have the Microsoft Purview Audit (Premium) functionality.”

  6. Practical365: Microsoft’s slow delivery of MailItemsAccessed audit event – retention commentary.

  7. O365Info: Manage audit log retention policies – up to 10 years for Premium.

  8. Office365ITPros: Mailbox audit event ingestion issues for E3 users.

  9. RedCanary blog: Entra ID service principals and BEC – “MailItemsAccessed is a very high volume record …”

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Record-Breaking BEC Recovery: A Case Study and Future Implications

Posted on by
Reply

Executive Summary

INTERPOL’s recent recovery of over $40 million in a Business Email Compromise (BEC) scam marks a significant milestone in cybercrime prevention. This case study examines the incident, its resolution, and the broader implications for business cybersecurity.

Incident Overview

A Singapore-based commodity firm fell victim to a sophisticated BEC scam, resulting in an unauthorized transfer of $42.3 million to an account in Timor Leste. The scam exploited a common vulnerability in business processes: the manipulation of vendor email communications to redirect legitimate payments.

Resolution

  1. Rapid Reporting: Upon discovery, the victim company promptly alerted local authorities.
  2. International Cooperation: INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) team was activated.
  3. Fund Recovery: $39 million was initially recovered, with an additional $2 million seized during follow-up investigations.
  4. Arrests: Seven suspects were apprehended, demonstrating the effectiveness of international law enforcement collaboration.

Key Takeaways

  • Evolving Threat Landscape: BEC scams continue to pose a significant and growing threat to businesses globally.
  • Importance of Swift Action: Rapid reporting and response were crucial in recovering a substantial portion of the stolen funds.
  • International Cooperation: The success of this operation highlights the effectiveness of coordinated global efforts in combating cybercrime.

Future Implications for BEC Compromises

  1. Adaptive Cybercriminal Tactics:
    • Expect more sophisticated, multi-layered scams designed to evade detection.
    • Potential shift towards higher-volume, lower-value attacks to avoid triggering large-scale investigations.
  2. Enhanced Prevention Strategies:
    • Implementation of AI-driven email authentication systems.
    • Adoption of blockchain technology for transaction verification.
    • Development of more robust and frequent employee training programs.
  3. Advanced Response Mechanisms:
    • Potential development of global, real-time financial transaction monitoring systems.
    • Increased integration of cybersecurity measures within standard business processes.

Recommendations for Businesses

  1. Implement rigorous email authentication protocols.
  2. Establish and regularly update vendor verification procedures.
  3. Conduct frequent, comprehensive cybersecurity training for all employees.
  4. Develop and maintain relationships with local law enforcement and cybersecurity agencies.

Contacting I-GRIP

In the event of a suspected BEC attack:

  1. Immediately contact your local law enforcement agency.
  2. Provide all relevant details of the suspected fraud.
  3. Request that your case be escalated to INTERPOL if it involves international transactions.
  4. For general information on international cybercrime reporting, visit www.interpol.int.

By staying informed and proactive, businesses can significantly mitigate the risks associated with BEC scams and contribute to a more secure global business environment.

All About Credit Union Credential Stuffing Attacks

Posted on by
Reply

Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

  • It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)

  • It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

  • According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

  • Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.

Business Email Compromise Attacks on Dealerships

Posted on by
Reply

Business email compromise attacks are a significant threat to car dealerships.

Among the car dealerships we work with, two large threats represent the most significant risks at the moment. The first is ransomware, which we have covered extensively on this blog. The second, business email compromise, we’ve also talked a lot about, but mostly in terms of traditional financial services firms. However, business email compromise is one of the most common cybersecurity attacks today and, according to the FBI’s Internet Crime Complaint Center, costs American firms $1.7 billion in 2019, while worldwide losses might well have reached over $5 billion!

How big is the risk of a business email compromise in a dealership?

Business email compromise attacks occur every single day across a variety of industries. Business email compromises typically occur via two specific attack vectors: phishing and stolen credential reuse. Most of our dealerships have significant controls around phishing, with those detection systems reporting tens to hundreds of attempts per day. While the phishing tools are good enough to stop the vast majority of common phishing attacks, there are some that make it through the network and computer-based defenses. When this happens, it is up to the humans in the dealership to be aware enough of the issue, be paying enough attention and have good enough training to prevent the phishing message from becoming a compromise.

In the second attack vector for business email compromise, attackers reuse stolen or leaked credentials (logins and passwords) that have become available on the Internet. There are several common forums and pastebin-type sites where these credentials are dumped, traded or sold (if you want to learn about a common tool to help monitor for these issues, check out ClawBack) and attackers monitor these sites with various tools. Once they see a leaked set of credentials, they try and use it on the web mail logins of their targets. If the user has the same login and password across many sites (many do), then the attacker may compromise the web mail account and be logged into the corporate email system as the user.

What happens in a typical business email compromise in a dealership?

Once the attacker has access to the email system, they will often spend a little time reading the emails and browsing through any files that the email server maintains. If the system includes chat capabilities, they often read those as well. They do this to learn about the user, their position and what the attacker may be able to use the compromised account to do. If any valuable information is in the email archive or on exposed files, they often steal that data right away for resale.

It’s not uncommon for attackers to set a forwarding address for compromised mail accounts, redirecting copies of emails to themselves so that they can monitor the email activity of the user without logging back into the server – thus reducing their chances of being discovered. If the compromised account doesn’t seem useful to the attacker, they will often use it to send phishing emails to other people in the address book, including other internal users, business partners, customers and the like. These phishing attacks are often highly successful, given that they come from a trusted contact and the attacker can tailor the language and tone of the email to match usual conversations.

Once the attacker gets access to an account that they feel is capable of either gaining them network access (think executives who can make requests of subordinates) or allow them to move money (think about accounts payable, wire, ACH and other banking fraud), they will use the email account to send messages, forms (if available) or other requests to get what they want. Again, these attacks are often highly successful, because the attacker comes from a known account, can tailor the language and tone of the messages, and can use social engineering techniques to apply pressure to the victims in order to get them to do things they might not ordinarily do.

What can dealerships do to prevent business email compromises?

Dealerships can combat business email comprise attacks by ensuring that their phishing and authentication defenses are up to par. They can train their team members to be on guard for messages that apply pressure, declare urgency or ask for unusual activities. The dealership can implement training and protocols for voice validation checks for unusual requests and perform ongoing testing of these types of scenarios to educate and keep their staff on guard.

Dealerships can also be vigilant about their email systems, configuring them to apply controls, ensure that logging and other security measures are in place. They can implement multi-factor authentication. They can have ongoing assessments and penetration testing – including business email comprise-based scenarios.

Reducing the risk is doable, but it does require work, investment and continued vigilance. Attackers only have to be right once, while the security controls and your team have to be right every single time to prevent losses. With incidents ranging from tens of thousands of dollars to hundreds of thousands of dollars in losses – paying attention to business email compromises is critical for dealerships of all sizes.

To learn more about tools, techniques and testing to help your organization prevent, detect and respond to business email compromise attacks, get in touch with our team at SecureDrive Alliance for more information and a free risk discussion today.