Mailbox triage — the first 15 minutes
BEC incidents require immediate surgical intervention in the identity perimeter. The attacker's goal is typically financial — redirecting payments, extracting data, or establishing persistent access for future exploitation.
Check for unauthorised inbox rules first. Forwarding rules are the most common persistence mechanism — attackers create rules that forward emails containing "invoice", "payment", "wire", or "transfer" to an external address or the RSS Subscriptions folder where they are invisible to the user.
- Check all inbox rules — forwarding, redirect, move, and delete rules
- Check sent items and deleted items for emails the attacker sent
- Review recent email activity for messages the user does not recognise
- Check whether the attacker replied to any existing email threads
OAuth and application review
Attackers increasingly maintain persistence not by keeping the password, but by granting a malicious OAuth application permission to read the mailbox. This survives password resets. Review the compromised user's app consents and revoke any application you do not recognise.
In Microsoft 365, check Enterprise Applications and User Consent grants. In Google Workspace, check Third-party app access. Any application with Mail.Read, Mail.ReadWrite, or full mailbox access that was not explicitly approved by IT should be revoked immediately.
Session and credential reset
Reset the compromised user's password AND immediately revoke all active session tokens across all devices. A password reset alone is not sufficient — existing sessions remain valid until the tokens expire, which can be hours or days.
In Microsoft 365: reset password, then revoke sessions via Entra ID. In Google Workspace: reset password, then sign out all sessions. Also reset the password for any other accounts that share the same password (this is depressingly common).
Financial impact assessment
Determine whether the attacker successfully redirected any payments or issued fraudulent payment instructions. Check with the finance team for any recent requests to change bank details, urgent wire transfers, or gift card purchases. If a payment was redirected, contact the receiving bank immediately — recovery chances decrease dramatically after 24 hours.
Notification and communication
If the attacker accessed or exforted sensitive data, assess notification obligations under the Notifiable Data Breaches scheme. If payment fraud occurred, file a report with the Australian Cyber Security Centre (ACSC) and notify your cyber insurance provider.
Communicate clearly with affected staff — explain what happened, what was accessed, and what they need to do (e.g., be alert for phishing attempts using information from the compromised mailbox).