Investigating a complex business email compromise attack - Redscan
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy


Investigating a sophisticated email business compromise attack on an insurance provider

Concerned about the impact of a business email compromise (BEC) attack, which resulted in an attempt to defraud one of its customers out of nearly £300k, a leading independent insurance broker approached Redscan to investigate the source and scope of the attack.

Case Study

The Incident


  • High volumes of sensitive data
  • Compromised by cybercriminal
  • Victim of Business Email Compromise

As a specialist firm providing insurance advice for high value business mergers and acquisitions, Redscan’s client processes a wealth of sensitive data.

Despite maintaining a high level of security, the firm discovered that it had been compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account.

Fortunately, on this occasion, the attack was detected by the firm before any payment was made by the client – a vigilant member of staff from the client company had insisted on verbal verification of the financial details supplied, leading to an alarm being raised.

Nevertheless, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats.

In need of support from an expert cyber security company to help shed light on events surrounding the attack, the firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation.

The Investigation


  • Analysis of email logs
  • Identification of point of compromise
  • Discovery of client firm targeting
  • Tracing of attack source

The initial focus of Redscan’s assessment was analysis of email logs relating to the Office 365 accounts suspected as being used to instigate the fraud.

The team quickly identified that six weeks prior to the BEC attack, one of the Office accounts belonging to a senior-level employee had received a phishing email.

Purporting to be from Microsoft®, the email claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons.

Working on the basis that the phishing attempt had been successful, leading to the harvesting of the user’s Office credentials, Redscan set about reviewing audit logs relating to the account in question.

It soon became clear that an attacker had successfully accessed the account from an unidentified IP address.

Mailbox rules designed to scan all incoming emails for keywords, move them to the user’s RSS Subscriptions folder within Outlook®, and mark them as unread were promptly introduced. This course of action would help the attacker to quickly identify emails of interest and prevent the compromised user from viewing and responding to them.

Read more

Our Recommendations

Use of Office 365 Secure Score
This dedicated security tool helps organisations to review and securely configure Office 365 environments.
Full mailbox audit logging
The activation of full audit logging in Office 365 provides increased visibility of actions performed across all mailbox accounts.
Enable multi-factor authentication
Use of MFA provides an extra layer of authentication by requiring users to accept a phone call, text message, or a mobile application notification to log into Office.
Proactive network and endpoint monitoring
Use of the latest SIEM, Intrusion Detection and Behavioural Monitoring tools helps to identify attacks in their infancy by flagging threats and suspicious activity such as failed sign in attempts and policy violations.
Block malicious IPs
Blocking domains associated with known phishing attacks helps to reduce the risk of staff falling victim to BEC attacks.
Review staff training needs
Regular security training can help to instil best practice and improve awareness of the latest social engineering attacks.