Home
Blog
Identity-investigations
October 22, 2025
8
min read

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.

email investigations
identity investigations
phishing
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

During my years defending networks—from Air Force systems operations through contractor work on offensive and defensive security—I've watched Business Email Compromise evolve from crude wire transfer scams into sophisticated campaigns that weaponize the very collaboration tools organizations depend on. A recent incident documented by Invictus-IR crystallizes what we're seeing in 2025: threat actors who understand not just how to steal credentials, but how to exploit organizational trust relationships at scale.

The fundamental challenge lies in the sophistication gap. These attackers move through Microsoft 365 environments with the operational awareness of seasoned red teamers—establishing OAuth persistence, manipulating mail flow, and leveraging SharePoint's trust model to spread laterally. Meanwhile, most SOC teams are stuck writing custom KQL queries during active incidents, trying to piece together attack timelines from disparate log sources while the compromise spreads.

This is where Command Zero's investigation platform transforms the response equation. Rather than requiring analysts to become Microsoft Graph API experts mid-incident, our platform provides pre-built investigation questions that map directly to BEC attack patterns. Let me walk you through how this works in practice, using the Invictus-IR case as our blueprint.

The Attack Chain: Understanding Modern BEC Tactics

The incident started with something most security awareness training teaches users to trust: a SharePoint collaboration request from a colleague. What made this effective wasn't technical sophistication in the phishing page—it was the abuse of legitimate Microsoft 365 workflows. The victim saw a familiar interface, a trusted sender, and a plausible request. They entered credentials and approved an MFA prompt.

From there, the attacker executed a methodical campaign that reveals deep understanding of Microsoft 365 security monitoring gaps:

Initial foothold establishment: The attacker logged in through the OfficeHome application from Nigeria using stolen tokens. This bypassed MFA because the session token was legitimate—the victim had authenticated it themselves moments earlier. What we find in practice is that organizations focus heavily on preventing credential theft but often lack visibility into post-authentication activity.

Persistence through OAuth abuse: Here's where the attack shifted from opportunistic to strategic. The attacker obtained consent for a malicious OAuth application called "PERFECTDATA SOFTWARE" with mail access permissions. This is critical because OAuth applications maintain access independent of password changes. You can reset the victim's password, enforce new MFA policies, even disable the account temporarily—but that malicious application keeps its permissions until someone explicitly revokes them.

Defense evasion through mail flow manipulation: The attacker created inbox rules redirecting supplier emails to the RSS folder, then escalated to moving ALL incoming mail there. They performed HardDelete operations on sensitive messages. This creates a perfect operational security window—the victim doesn't see responses to the fraudulent invoices, doesn't notice their contacts reporting phishing, and can't easily detect the compromise through normal email behavior.

Impact amplification: The final phase demonstrated why BEC remains so financially damaging. The attacker modified legitimate invoices, shared malicious SharePoint documents with the victim's entire contact network, and sent approximately 1,000 phishing emails within minutes. Each of those recipients saw mail from a trusted colleague with valid digital signatures and SharePoint sharing permissions.

The Investigation Challenge: Why Traditional Approaches Fall Short

When a potential BEC incident hits your SOC, the clock is ticking. Every minute the attacker maintains access increases the blast radius—more phishing emails sent, more accounts potentially compromised, more fraudulent transactions initiated. The expectation is that analysts will quickly determine the scope of compromise and contain the threat.

However, the reality of BEC investigation in Microsoft 365 environments is brutally complex:

Data source fragmentation: Relevant evidence lives across Microsoft Entra ID sign-in logs, Azure AD audit logs, Exchange Online Unified Audit Log, SharePoint activity logs, and mailbox configuration data. Each requires different query syntaxes—KQL for Log Analytics, PowerShell for Exchange Online, Microsoft Graph API calls for OAuth applications. A tier-2 analyst investigating their first BEC case faces a learning curve measured in weeks, not hours.

Query complexity: Even experienced analysts struggle with the specifics. Want to find OAuth application consent grants? You need to query Microsoft Graph Directory Audit logs for "Add app role assignment to service principal" events, correlate those with Unified Audit Log entries, and cross-reference application IDs against known good applications in your environment. That's assuming you know which Graph API endpoints to call and have the correct permissions configured.

Context deficit: Raw log data doesn't explain why events matter. An analyst sees "MailItemsAccessed" events in the Unified Audit Log—are those legitimate user actions or evidence of attacker reconnaissance? They find inbox rules redirecting to the RSS folder—is that a user productivity hack or attacker evasion? Without deep Microsoft 365 operational knowledge, distinguishing normal from malicious requires extensive research during an active incident.

Investigation consistency: Different analysts approach BEC investigations differently. One might focus heavily on authentication anomalies but miss the OAuth application. Another might catch the malicious app but fail to track the full scope of the phishing campaign. There's no standardized methodology ensuring comprehensive coverage of the BEC attack surface.

This creates a disconnect between incident response time objectives and operational reality. Leadership expects rapid containment, but analysts are spending hours figuring out which logs to query, how to structure those queries, and what the results actually mean.

Command Zero's Investigation Framework: Questions That Map to Attack Patterns

The strategic approach acknowledges organizational reality while solving the investigation complexity problem. Rather than expecting every analyst to become a Microsoft 365 security expert, Command Zero provides investigation questions that embed that expertise directly into the investigation workflow.

Each question targets a specific phase of the BEC attack chain and automatically queries the relevant data sources. Let me show you how this maps to the Invictus-IR case:

Detecting OAuth Application Abuse

The question "What application roles were assigned to Microsoft Entra service principals?" directly targets the PERFECTDATA SOFTWARE persistence mechanism. This isn't a simple query—behind the scenes, Command Zero is hitting Microsoft Graph Directory Audit logs for app role assignment events and correlating with Unified Audit Log entries showing permission grants.

What we find in practice is that malicious OAuth applications are the persistence mechanism tier-2 analysts most commonly miss. They reset the compromised account password, thinking that resolves the incident, while the attacker maintains full mail access through the OAuth app. This single question surfaces those applications immediately, showing:

- When the malicious application received consent
- Which account granted that consent (potentially identifying the initially compromised user)
- The specific permissions requested (Mail.Read, Mail.ReadWrite, etc.)
- Whether consent was successfully granted or if there were failed attempts

The question results highlight priority fields that matter most—suspicious application names like "PERFECTDATA SOFTWARE," application IDs not recognized in your environment, and permissions grants happening outside business hours or from unusual IP addresses. An analyst who's never investigated OAuth abuse before can now identify it reliably.

Tracking SharePoint-Based Phishing Distribution

Two complementary questions target the SharePoint attack vector: "What files were uploaded to Microsoft 365 SharePoint or OneDrive by this application?" and "What files were downloaded from Microsoft 365 SharePoint or OneDrive by this application?"

The upload question catches the initial phishing lure—the fake Microsoft 365 login page shared with the victim's contacts. The download question identifies potential data exfiltration, where the attacker harvests sensitive documents, invoices, or organizational information they can weaponize in social engineering.

The real value lies in the context these questions provide. When results show files uploaded by "app@sharepoint" (indicating an OAuth application rather than a user), that's a strong indicator of automated attack activity. When those files are HTML documents or PDFs containing external links, and they're shared with dozens of recipients immediately after an unusual sign-in, the investigation narrative becomes clear.

This approach empowers analysts to move from "there's suspicious SharePoint activity" to "here's the specific phishing document, here's when it was created, here's who received it, and here's the application that uploaded it"—in minutes rather than hours.

Identifying Compromised Authentication

The question "What users signed in from an unmanaged or non-compliant device to Microsoft Entra ID?" flags the attacker's initial access from Nigeria using VPN infrastructure. Unmanaged devices combined with unusual geographic locations and successful authentication despite conditional access policies are strong compromise indicators.

What makes this question particularly valuable is how it surfaces device compliance context alongside authentication events. An analyst sees not just "user authenticated from Nigeria," but "user authenticated from Nigeria on an unmanaged device using the OfficeHome application with a user-agent string indicating axios/1.11.0"—automated tooling, not a legitimate mobile device.

During my time doing penetration testing and red team operations, I've used VPN services and automated authentication tools extensively. I know what those authentication patterns look like from the attacker's perspective. Command Zero's questions embed that defensive insight, showing analysts exactly which authentication characteristics indicate compromise versus legitimate remote work.

Mapping Phishing Campaign Blast Radius

The question "What users received mail in Microsoft 365 Exchange from this email address?" reveals the full scope of the phishing campaign. In the Invictus-IR case, the attacker sent approximately 1,000 emails. This question identifies all recipients, enabling security teams to:

- Prioritize follow-up investigations based on recipient role and data access
- Notify affected users to check for suspicious authentication or invoice requests
- Assess whether any recipients may have fallen for the phishing lure
- Track potential second-order compromises

The question leverages the MessageTrace API for recent activity (last 10 days) and falls back to Unified Audit Log queries for longer time ranges. This nuance matters because different Microsoft 365 APIs have different retention windows and rate limits. An analyst investigating the incident doesn't need to know these API implementation details—they just ask the question and get comprehensive results.

Uncovering Password Reset Anomalies

The question "When did an administrator fail to reset the password for this user account?" catches attempts by the attacker to lock out legitimate users or, conversely, defensive responses by the security team. Failed password reset attempts are particularly interesting because they often indicate attackers trying to maintain persistent access by preventing remediation actions.

What we find in practice is that sophisticated BEC attackers sometimes target administrator accounts specifically to gain password reset capabilities. They'll compromise a helpdesk account, then use that access to reset passwords for high-value targets like finance team members or executives. This question surfaces both successful and failed resets, showing the full timeline of credential manipulation during the incident window.

Monitoring Mailbox Permission Changes

The question "What user mailboxes have full access rights in Microsoft 365 Exchange?" identifies delegation relationships that attackers may exploit or establish for persistent access. In some BEC cases, attackers grant themselves mailbox permissions to maintain access even after OAuth applications are revoked.

This question reveals both standing delegations (which may have been compromised) and new delegations created during the investigation window (which may be attacker persistence mechanisms). Combined with the OAuth application question, analysts get comprehensive visibility into all persistence vectors the attacker may have established.

Building Investigation Workflows: Chaining Questions Together

The real power emerges when analysts chain multiple questions together to build a complete attack timeline. Here's how this works in practice for a BEC investigation:

Phase 1: Identify initial compromise—Start with sign-in anomaly questions to find unusual authentication from unmanaged devices, VPN services, or high-risk countries. Review password reset attempts around the suspected compromise timeframe. This establishes the initial access vector and compromised accounts.

Phase 2: Assess persistence mechanisms—Query for OAuth application consent grants, mailbox permission changes, and inbox rule creation during the investigation window. This reveals how the attacker maintains access independent of credential resets. In the Invictus-IR case, this would immediately surface the PERFECTDATA SOFTWARE application.

Phase 3: Track attacker actions—Monitor SharePoint file uploads and downloads, email send events, and HardDelete operations. This builds the narrative of what the attacker actually did with their access—reconnaissance, data exfiltration, or fraud operations.

Phase 4: Map blast radius—Use email recipient queries to identify everyone who received phishing emails from the compromised account. Check for additional compromised accounts showing similar activity patterns. This ensures containment covers the full scope of impact.

By following this workflow, analysts move systematically through the investigation without needing to remember which queries to run or which data sources to check. The questions provide the methodology, and the results guide the next investigation step.

Why This Approach Works: Lessons from 20+ Years in Security Operations

The question-driven investigation framework works because it acknowledges a fundamental truth about security operations: expertise is scarce, and incidents don't wait for training to complete. During my years as a contractor doing information warfare and defensive security, I've seen this pattern repeatedly—organizations hire smart analysts but struggle to give them the operational knowledge they need to investigate complex attacks effectively.

Command Zero solves this by embedding expertise directly into the investigation tool. Each question includes:

Detailed context explaining why the data matters—Not just "here's OAuth consent activity," but "OAuth applications maintain access independent of password changes, making them a critical persistence mechanism in BEC attacks."

MITRE ATT&CK mapping for threat intelligence correlation—Questions link directly to techniques like T1098 (Account Manipulation) or T1566 (Phishing), helping analysts understand how the evidence fits into the broader attack chain.

Optimized queries across multiple data sources—Microsoft Graph, Exchange PowerShell, Azure AD audit logs—all queried automatically with correct API syntax and error handling.

Priority field highlighting—Results emphasize the most security-relevant attributes, focusing analyst attention on suspicious application names, unusual IP addresses, or high-risk permissions rather than overwhelming them with raw log data.

This transforms how tier-2 and tier-3 analysts approach investigations. Instead of spending hours learning API structures and query languages, they focus on the investigative logic—what happened, when did it happen, and what's the impact? The platform handles the technical implementation complexity.

Defensive Recommendations: Preventing BEC Attacks

While Command Zero dramatically improves investigation and response capabilities, preventing BEC attacks requires layered defensive controls. Based on patterns we see across customer environments, here are the highest-impact recommendations:

Disable user OAuth application consent—The single most effective control against OAuth-based persistence is requiring administrator approval for all application consent requests. This forces attackers to compromise an administrator account before establishing OAuth persistence, significantly raising the bar.

Deploy phishing-resistant MFA—The Invictus-IR case involved MFA bypass through session token theft. FIDO2 security keys or Windows Hello for Business resist this attack because the cryptographic authentication cannot be proxied through a phishing page. Even if users enter credentials on a fake login page, the attacker can't complete authentication without the physical security key.

Implement conditional access policies blocking high-risk countries—If your organization has no legitimate business presence in certain geographic regions, block authentication from those locations entirely. In the Invictus-IR case, a policy blocking Nigerian IP ranges would have prevented the initial access, regardless of stolen credentials.

Restrict SharePoint external sharing to approved domains—Many organizations allow unrestricted external sharing, which attackers abuse to spread phishing campaigns. Configure SharePoint to only allow sharing with specific partner domains or disable external sharing entirely for sensitive sites.

Monitor for suspicious mail flow patterns—Deploy mail flow rules that flag messages requesting invoice changes, urgent wire transfers, or payment modifications. Alert on large volumes of outbound messages sent in short time windows, especially outside business hours.

However, the challenge isn't just implementing these controls—it's maintaining visibility when they fail. No defensive control is perfect. Attackers will find ways around MFA, conditional access policies get misconfigured, and SharePoint sharing restrictions have legitimate business exceptions. This creates a disconnect between the security controls you've deployed and the reality of your attack surface.

What we find in practice is that organizations with strong preventive controls but weak investigation capabilities struggle just as much during incidents as organizations with weak controls overall. You need both prevention and the ability to rapidly investigate when prevention fails.

Conclusion: BEC Has Transformed, So Should Your Response

The BEC attack documented by Invictus-IR demonstrates what security teams face in 2025—adversaries with operational tradecraft, sophisticated persistence mechanisms, and deep knowledge of cloud collaboration platform security gaps. These attackers move faster than most SOC teams can investigate, leveraging the expertise gap to maximize impact before detection.

Command Zero's question-driven investigation framework levels that expertise gap. By providing pre-built questions that map directly to BEC attack patterns, we enable tier-2 analysts to investigate at the level of seasoned specialists. They don't need to memorize Microsoft Graph API endpoints or write complex KQL queries during active incidents. They ask questions in natural language, and the platform translates those into optimized queries across multiple data sources.

This approach empowers teams to move from reactive firefighting to proactive threat hunting. The same questions used during incident response can be run daily to identify early indicators of compromise—suspicious OAuth applications, unusual authentication patterns, or SharePoint sharing anomalies—before they escalate to full-blown fraud attempts.

As we continue to refine this methodology with insights from real-world investigations, the question library expands to cover emerging attack patterns. The Invictus-IR case reinforces techniques we're already tracking, but it also highlights areas where additional questions would provide value—monitoring inbox rule creation patterns, tracking mail folder manipulation, and detecting bulk email operations.

For security teams facing the BEC threat, the path forward is clear: implement strong preventive controls, but don't rely on prevention alone. Build the investigation capability to rapidly detect, scope, and respond to BEC attempts. Command Zero provides that capability, transforming complex investigations into methodical workflows that any analyst can execute effectively.

Book a demo today to see how Command Zero can help identify and investigate BEC in your environment.

---

Additional Resources:
- Invictus-IR BEC Analysis: [Anatomy of a BEC in 2025](https://www.invictus-ir.com/news/anatomy-of-a-bec-in-2025)
- IOC Repository: [Invictus-IR GitHub IOCs](https://github.com/invictus-ir/IOCs/blob/main/IOCs%20-%20Anatomy%20of%20a%20BEC%20in%202025.csv)

*Want to see how Command Zero's investigation framework can transform your BEC response? Contact the Command Zero team to explore our question library and discuss implementation in your security operations environment.*

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.
Eric Hulse
Oct 29, 2025
min read
Identity-investigations
Highlight

Shadow Identities: The Common Attack Target You Can't See

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.
Eric Hulse
Oct 16, 2025
7
min read
Identity-investigations
Highlight

Microsoft Teams Becomes the New Vishing Battleground

Microsoft Teams has recently emerged as a critical attack vector for sophisticated ransomware campaigns, with threat actors weaponizing enterprise communication platforms through coordinated vishing operations. This strategic analysis examines the three-stage attack methodology—email flooding, social engineering via Teams calls, and remote access tool deployment—that has enabled groups like Black Basta, Storm-1811, and Midnight Blizzard to achieve unprecedented operational success. Recent intelligence reveals over 15 documented incidents in three months, with attack frequency accelerating significantly. The exploitation centers on default Microsoft Teams configurations that permit external communications, creating opportunities for attackers to impersonate IT support during manufactured crises. Command Zero's post-Black Hat platform enhancements deliver comprehensive investigative capabilities across Microsoft Teams, Entra, and Graph environments, providing security teams with advanced detection and response tools. Organizations must implement systematic defense frameworks combining technical infrastructure controls with human-centric security operations to address this paradigmatic shift in adversarial methodology that blurs traditional boundaries between technical exploitation and social engineering mastery.
Eric Hulse
Sep 23, 2025
5
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All