IR Hotline Numbers:

+44 20 3318 1470
+60 154 877 0076
+61 2 7908 1745
+65 3165 8788
caution icon

Experienced a breach? Reach us now

company logo
Responding to Office 365 Business Email Compromise

Responding to Office 365 Business Email Compromise

With more than 50% of all global businesses already using Office 365 and demand going strong, cybercriminals have been targeting these accounts as they are the perfect gateway to any organisation and data. In a recent report, 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in March 2019 alone.

At Pragma, our Incident Response department has investigated various Office 365 attacks. Apart from phishing emails, our team witnessed stolen passwords from the same user's personal account, brute force attacks and credential stuffing.

In this article, we take you through a case study of a common Office 365 Business Email Compromise attack (O365 BEC), where a cybercriminal hacked into a vendor's account to trick its victim into depositing funds based fake invoices.

The Incident

When an Accounts Director at an International Estate Agent company received an email message about a voicemail from a recognised contact, they clicked the link to see a recognisable Office 365 website. After logging into their account, the link had expired, so they didn’t think much of it.

A month later, after making several payments to creditors, as was perfectly normal, they discovered that the money had been sent to the wrong bank account, and the balance was still outstanding. Worse still, the creditor cut off their services due to lack of payment leaving them unable to conduct basic functionality. Only when the victim raised an issue regarding the removal of services was it identified that payment had been made to a fraudster.

Pragma Investigates

Pragma was engaged to investigate the incident, and immediately began remote analysis on the affected user’s account. It was quickly identified that the ‘Threat Actor’ had gained access to the account nearly one month earlier and had placed inbox rules on the account which resulted in emails from the service provider to the victim being immediately marked as read and forwarded to the ‘archive’ folder.

The Threat Actor has registered a domain in a name almost un-noticeably different to the true creditor, and from an email extremely similar to the true email address, began to converse about payments that were due soon.

Once the bill was due, the Threat Actor tricked the victim that they had been a victim of a bank account compromise and advised them not to make any payment until new bank details were provided. These followed a day later, and the victim unknowingly settled the bill to the Threat Actor.

Next Steps

  • Pragma immediately worked with the IT service provider to remove the malicious inbox rules and assisted in ensuring that the Threat Actor was expelled from the account.
  • The entire organisation’s O365 tenant was scanned to identify indications of further malicious activity.
  • A review of email activity was conducted to identify any other communication ongoing from the Threat Actor using alternative email addresses to obtain further payment.
  • Root cause analysis was carried out to locate the cause of the incident and ensure that no other colleagues had fallen victim to the same attack.
  • A subsequent review of Personally Identifiable Information (PII) was also required to identify what information had been available to the Threat Actor during the attack. This was required in the reporting of the incident to the relevant bodies and the Information Commissioner's Office (ICO).

Are you affected by an O365 attack?

If you suspect or experience a similar incident, do not hesitate to get professional help. The Threat Actor may still be in your system causing further damage.

Reach out to our Incident Response specialists at [email protected] or contact us here.


Office 365
Business Email Compromise
Compromised Accounts
Phishing Emails
Stolen Passwords
Brute Force Attacks
Credential Stuffing
Case Study
Incident Response
Vendor Account
Fake Invoices
Phishing Link
Remote Analysis
Malicious Inbox Rules
Threat Actor
Domain Registration
Bank Account Compromise
Payment Fraud
IT Service Provider
Tenant Scanning
Root Cause Analysis
Personally Identifiable Information
Incident Reporting

Join the Pragma Community Today



Cyber Advisory

Technology Risk

Compliance, Conduct, and Regulatory Risk

IT Audit


Pragma Logo

Terms & conditions

Privacy Policy