Business email compromise: the inbox rules you are not watching

Business email compromise is not really about reading email. It is about controlling a mailbox quietly enough to commit fraud, and the quiet part is usually an inbox rule.

What BEC looks like

An attacker gets into a mailbox through phishing or token theft, then uses that trusted identity to commit fraud: redirecting an invoice, approving a wire, or impersonating an executive. The money moves because the email comes from a real, trusted account.

The persistence you miss

The tell is rarely the login. It is the rules. Attackers create inbox rules that auto-delete or move the replies to their fraudulent threads, so the real user never sees the conversation, and forwarding rules that copy sensitive mail to an external address. These rules survive a password reset, because a password reset does not remove them. In ATT&CK terms this is T1564.008, hiding via email rules.

How to detect it

Search the Microsoft 365 audit log for New-InboxRule and Set-InboxRule events, especially rules that forward externally, delete messages, or move mail to obscure folders like RSS Feeds. Mailbox auditing plus alerting on external auto-forwarding catches both the persistence and the exfiltration.

How to contain and eradicate it

Reset the password and revoke the active sessions and tokens, because the session persists like it does in any token-theft case. Then remove the malicious inbox rules and any forwarding, block external auto-forwarding across the tenant, and enable MFA. Check for added mailbox delegates at both the mailbox and tenant level.

For finance teams

Treat any change to payment details as something to verify out of band, by a known phone number, never by replying to the email thread. That single habit defeats most BEC payoffs.

Practice it

We built a BEC scenario in GraphLattice Range so teams find the hidden inbox rules and contain the session, not just the password.