Business Email Compromise (BEC) Response and Investigation

With decades of experience investigating BEC scams across a variety of platforms and proprietary forensic tools, Kroll is your ultimate BEC response partner.
Talk to a BEC Expert

Our experts have honed every step of the investigative process and created unique tools for multiple platforms to deliver timely and defensible answers for BEC challenges—from misdirected payments to the compromise of sensitive data or unauthorized access to the greater network environment. 

What is Business Email Compromise?

Business email compromise is the unauthorized access to one or more mailboxes by a threat actor. Threat actors have historically performed BEC attacks in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account. While financial fraud is still a primary goal, actors are increasingly evolving BEC attacks to gain greater access—from exploring connected SharePoint, OneDrive and Teams areas to pivoting to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data. 

Common BEC Attack Vectors and Mitigation Steps

BEC attacks most commonly begin with a phishing email message that contains a malicious attachment or layered redirect links to credential harvesting websites. In recent years, Kroll has observed threat actors evolving their tactics to include:

  • Phishing via voicemail (vishing) and text message (smishing)
  • Multi-factor authentication (MFA) prompt bombing or MFA fatigue
  • Adversary-in-the-middle (AiTM) phishing campaigns where threat actors can steal passwords and hijack active user sessions even with MFA enabled.
  • Leveraging passwords exposed in an unrelated third-party breach, especially in the case of credential reuse (the habit of using the same or similar password for multiple accounts)
  • Exploiting software vulnerabilities to include those in Microsoft Exchange servers 
  • Exploiting access gained in a ransomware attack to compromise email accounts
  • Exfiltrating and deleting cloud data and then ransoming to not release the stolen information

Recently, Kroll experts demonstrated an evolution in threat actor tactics by using the data transfer program Rclone via a compromised M365 account to download a massive number of files from SharePoint—all without remote access to a host. This new tactic, M365 Theft/Extortion, follows a similar threat actor pattern commonly seen in more traditional incident response type matters.

Kroll offers a number of solutions in order to protect your organization from falling victim to a business email compromise attack: 

Full Service BEC Investigations 

Our forensic investigators and analysts can do a full tenant review, including full log analysis where Kroll reviews for suspicious activity related to previously identified indicators of compromise (IOC), as well as foreign logins or access to mailboxes within an email environment, Enterprise mail rule review and a detailed forensic report.

Fixed Fee BEC Solution 

Our experts have created an efficient, budget-friendly automated tool that provides a simplified report of the investigative findings. This tool will answer key questions to help determine the extent of the compromise on an effected account/tenant. 

Fixed Fee BEC
Full Service BEC

Covering the Affected M365 Accounts(s)

Full tenant review for IOCs

Tenant wide (all accounts) log analysis

Optional add-on

Triage for initial compromise vector (phishing email, impersonation, etc.)

Optional add-on

Identification and preservation of unauthorized emails
(auto-forwarded, sent externally by threat actor, etc.)

Optional add-on

Client deliverable

Factual report (spreadsheet)

Narrative report

Pricing structure

Fixed fee

Custom

Suspicious behaviors pattern analysis (impossible travel, etc.)

Unauthorized access evidence

Unauthorized access duration

Access method (IMAP, POP, Web, Mail Client, etc.)

Mailbox sync activity evidence

Search results export

Covering the M365 Enterprise/Tenant(s)

Mailbox rules review

Kroll is a Recognized Global Leader in Business Email Compromise Investigations

Our experts are well-equipped to help you during every step of a BEC investigation. Kroll forensic investigators possess industry-leading forensic training and certifications, including GCFE, CFCE and GCFA, and extensive knowledge of email systems, including Microsoft Azure, Microsoft 365, Exchange and many APIs that can greatly expedite the investigation and uncover hard-to-spot activity. Kroll’s team consists of hundreds of examiners based in more than 16 countries across five continents and can meet varying needs for geographical-based legal requirements for client data storage, as well as residency requirements for examiners handling sensitive data. 

Our team also has litigation support expertise, including several Relativity certifications and global forensic labs, so we can more efficiently and quickly perform managed mailbox review. Additionally, we work closely with 60+ cyber insurance carriers and hundreds of law firms so investigations are protected and move seamlessly. 

Read more business email compromise case studies from our library to see our experts in action.

Take the Proactive Step – Business Email Compromise Prevention and Monitoring

In order to best prepare your organization against a BEC attack, Kroll experts can perform email and cloud security assessments to help harden mailboxes, assist with cloud system configuration and monitoring, and conduct simulated phishing attacks to help educate your staff. Additionally, Kroll Responder provides managed detection and response (MDR) monitoring for Office 365 to flag any suspicious behavior as well as ingest mail logs and survey for malicious activity. 

Business Email Compromise Response via a Retainer 

BEC can often be one aspect of a deeper compromise and may require deeper incident response, litigation support and even data breach notification support. Kroll clients can package full service or fixed fee BEC solutions with Kroll’s Cyber Risk Retainer, which gives you prioritized access to elite investigators and flexibility to allocate incident response resources as well as all other cybersecurity solutions offered by Kroll. 

Stay Ahead

Cyberattacks are evolving by the day. Partner with Kroll to leverage our frontline threat intelligence and experienced incident response professionals in order to keep your organization safe.

Frequently Asked Questions

BEC is the acronym for business email compromise, a form of social engineering in which a threat actor uses email to defraud a person into sending money or sharing confidential company data.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.


Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.