Business Email Compromise Incident Response Checklist for IT Teams

When a Business Email Compromise is suspected, ad-hoc responses cost time and evidence. This checklist gives IT and security teams a repeatable sequence aligned to the standard incident-response phases: contain, preserve, investigate, eradicate, recover, and report. Adapt it into your runbook.

Phase 1 — Contain (first 30–60 minutes)

• Block sign-in for the affected account(s) in the Microsoft 365 admin center.
• Revoke active sessions in Microsoft Entra ID to invalidate stolen refresh tokens.
• Reset the password to a unique value; require MFA re-registration. Communicate out-of-band.
• Delete and recreate any app passwords (they survive a password reset).
• If money is in flight, contact the bank to attempt a same-day recall.

Phase 2 — Preserve evidence

• Confirm Unified Audit Logging is enabled (retains broad activity).
• Place the mailbox on Litigation Hold / eDiscovery hold so deleted items are retained.
• Export the relevant audit logs and a copy of the mailbox before remediation.
• Record a timeline of your own response actions (who did what, when, in UTC).

Phase 3 — Investigate

• Pull Entra ID sign-in logs: identify anomalous IPs, impossible-travel events, and the AiTM/token-theft pattern (successful MFA from an unusual location).
• Review MailItemsAccessed events to scope what mail the attacker read or exported.
• Enumerate inbox rules, mailbox forwarding, and transport rules; flag any ForwardTo, RedirectTo, or keyword-based moves.
• Check OAuth application consents granted by the user.
• Build a single, correlated timeline: initial access → persistence → reconnaissance → fraud.

Phase 4 — Eradicate

• Remove malicious inbox/transport rules and forwarding addresses.
• Revoke suspicious OAuth app grants.
• Confirm no secondary accounts were created or escalated.

Phase 5 — Recover

• Re-enable the account once clean; verify MFA and conditional-access policies.
• Notify internal and external recipients of any fraudulent messages sent from the account.
• Harden: enforce phishing-resistant MFA, tighten conditional access, disable legacy auth.

Phase 6 — Report & document

• File with the FBI IC3 (ic3.gov) if fraud occurred; notify your cyber-insurance carrier.
• Assess legal/regulatory breach-notification obligations from the data accessed.
• Produce a final forensic report with the timeline and indicators of compromise.

Phase 3 is where most investigations stall — manually correlating sign-in logs, mailbox-access events, and rule changes across thousands of rows. BreachLens automates that correlation from an uploaded M365 log and outputs the timeline and IOCs for you.