BEC Response Runbook for SMB Finance and IT Teams

First Hour Actions: Contain, Preserve, Recall, Report

Contain the Incident

Business email compromise (BEC) requires urgency. The first hour sets the stage for recovery and limits the blast radius. Start by securing affected identities. Force sign-out on all active sessions for suspected accounts, reset credentials, and revoke tokens or OAuth consents that may have been abused.

Disable any inbox rules or auto-forwarding that attackers could use to hide activity or siphon information. Restrict or temporarily pause finance workflows that could allow unauthorized payments, such as vendor setup changes and wire transfers, until identity and account integrity is assured.

Preserve Evidence

Ensure that evidence needed for investigation and insurance claims is preserved. Turn on litigation hold or retention for impacted mailboxes in Microsoft 365 to retain mail and attachments. Export audit logs covering sign-ins, mail operations, admin changes, and approval traces. Save message headers and full login logs for forensic analysis and possible law enforcement engagement.

Initiate a Recall

Contact your bank’s fraud team immediately. Ask about wire recall procedures or a Financial Fraud Kill Chain request. Prompt engagement with financial partners increases the chances of intercepting an illicit transfer or clawing back funds before settlement.

Report to Appropriate Entities

Report the incident to appropriate authorities and partners early. File a complaint with the FBI’s Internet Crime Complaint Center (IC3) specifically under BEC: IC3 BEC Reporting. Alert internal leadership, legal counsel, and your cyber insurance carrier according to your policy terms. For additional practical defensive context, the UK National Cyber Security Centre’s guidance on BEC provides useful background: NCSC BEC Guidance.

Investigation and Recovery in Microsoft 365 and Beyond

Identity and Access Investigation

Use structured incident checklists to guide your investigation. Microsoft provides generic incident response playbooks that can be adapted to BEC: Microsoft Incident Response Playbooks.

Review Azure AD sign-in logs for indicators of compromise such as impossible travel, use of legacy authentication protocols, suspicious token refresh patterns, or sign-ins from unexpected locations. Perform secure password resets with MFA for users flagged as risky and conduct access reviews for finance mailboxes and shared accounts, removing unnecessary privileges.

Mail Flow and Message Analysis

Audit mail flow settings including inbox rules, transport rules, connectors, and forwarding configurations. Look for signs of look-alike domains, vendor impersonation messages, or messages instructing payment changes. Where possible, quarantine suspicious items across the tenant to prevent further spread or user interaction.

OAuth and App Consent Checks

List enterprise applications with permissions to read email or files (for example, scopes like Mail.Read or Files.Read). Revoke any unrecognized application grants. Tighten app consent policies so future OAuth consent for high-risk scopes requires administrative approval.

Vendor and Customer Verification

Verification outside the compromised environment is critical. Contact vendors and customers directly through known, trusted channels to confirm recent payment instruction changes. Notify impacted partners so they can secure their own communications and transactions.

Evidence Collection and Communication

Maintain a structured timeline documenting actions taken, individuals involved, and timestamps. Save screenshots, log exports, and configuration snapshots to aid internal reviews, audits, and possible legal proceedings. Coordinate external communications with counsel to meet contractual and regulatory notification obligations. If data exposure is suspected during the incident, prepare breach notifications in accordance with relevant state laws and insurer requirements.

Prevention Lessons: Controls, Training, and Governance KPIs

Controls to Harden Microsoft 365

Translate lessons from the incident into permanent control improvements:

• Enforce phishing-resistant MFA for administrative roles and finance users.

• Block legacy authentication, which bypasses modern controls.

• Require Conditional Access for high-risk applications used by finance teams.

• Disable automatic external forwarding by default.

• Use data loss prevention (DLP) to flag or block outbound messages containing payment instructions.

• Require dual-approval or multi-party signoff for vendor banking changes.

Targeted Training for High-Risk Teams

Run targeted phishing simulations for finance, accounts payable, and executive assistants that mimic real BEC tactics like vendor invoice changes and payroll adjustments. Promote a “pause and verify” practice through out-of-band callbacks before any financial change is executed. Provide a simple, easily accessible “How to report suspected BEC” guide and ensure the report-phish button or workflow is highly visible for users.

Governance KPIs to Track

Establish governance KPIs that drive continuous improvement:

• Phishing report rate for finance and executive users.

• Time-to-contain incidents from detection to containment actions.

• Number of fraudulent payment attempts blocked through controls or training.

• Percentage of finance users protected by risk-based access policies.

• Quarterly vendor risk assessment coverage, including banking change verification processes.

Review these KPIs regularly with IT and finance leadership. Conduct quarterly tabletop exercises to reinforce the runbook and refine roles, responsibilities, and decision paths. Anchor your playbook to authoritative references such as the IC3 BEC reporting page and NCSC guidance.

Treat BEC as a business risk with executive accountability, not just an IT incident. With a disciplined runbook, clear controls, and measurable governance, your first hour of response becomes disciplined, effective, and aligned to recovery and resilience.

FAQ

What is business email compromise (BEC)?

Business email compromise is a type of fraud where attackers impersonate trusted internal or external contacts to manipulate users into transferring funds, changing payment details, or disclosing sensitive information. BEC often bypasses traditional phishing filters because it leverages social engineering within legitimate email systems.

What should be done in the first hour of detecting a BEC incident?

The first hour should focus on containment, preservation of evidence, initiating recall efforts, and reporting to authorities and partners. Containment involves securing compromised accounts and disabling malicious rules. Preservation includes retaining logs and mail for investigation, while recall means contacting banks before funds are settled.

How can Microsoft 365 tools help investigate a BEC attack?

Microsoft 365 provides audit logs, sign-in records, mailbox rule inventories, and admin change histories that help investigators reconstruct events. Azure AD logs can reveal anomalous sign-in patterns, while Exchange Online audit logs show mail flow changes and forwarding rules. Using structured incident response playbooks helps ensure consistency.

What controls help prevent future BEC incidents?

Key controls include phishing-resistant multifactor authentication (MFA), Conditional Access policies, blocking legacy auth, data loss prevention for sensitive outbound content, and dual-approval processes for vendor banking changes. Regular review of OAuth app permissions also reduces the risk of persistent API access.

Why is governance and KPI tracking important after a BEC incident?

Governance and KPIs help your organization understand risk trends, validate the effectiveness of controls, and demonstrate continuous improvement. Tracking report rates, containment times, blocked attempts, and user protection levels keeps accountability clear and budgets aligned with risk reduction.

When should tabletop exercises be conducted?

Conduct tabletop exercises quarterly or after significant changes to systems, staff, or controls. These simulations help teams rehearse response steps in a low-stress environment, uncover gaps in runbooks, and integrate lessons into operational practice.