Business Email Compromise Detection: A Practical Guide for 2026

Business Email Compromise Is the #2 Cybercrime Loss Category

The FBI's 2023 Internet Crime Report is blunt: Business Email Compromise caused $2.9 billion in losses — second only to investment fraud ($4.57B) among cybercrime categories. Over $51 billion has been lost to BEC since 2013. And the attacks are getting more sophisticated, not less.

Yet most organizations still can't answer a basic question: Are we being compromised right now?

This guide covers what BEC actually looks like at the technical level, why detection is hard, and a framework for catching it before the wire transfer goes out.

What Business Email Compromise Actually Is

BEC is a category of attacks where criminals use email to deceive organizations into transferring money or sensitive data. Unlike phishing attacks that try to trick end users, BEC often targets the organization's own processes and people in positions of authority.

The three most common BEC scenarios:

1. CEO Fraud / Executive Impersonation

An attacker impersonates a senior executive (CEO, CFO, COO) and sends an urgent request — typically a wire transfer, gift card purchase, or change to payroll direct deposit. The "executive" claims to be in a meeting and needs it handled immediately.

2. Vendor/Invoice Fraud

The attacker impersonates a vendor your company regularly pays. They send a legitimate-looking invoice with changed banking details, or intercept an existing invoice thread and modify the payment instructions.

3. Account Takeover + Silent Monitoring

This is the most sophisticated — and most dangerous — variant. The attacker actually compromises an employee's email account, then creates hidden forwarding rules to silently monitor all incoming and outgoing mail. They watch for months, learning:

• Payment patterns and amounts
• Vendors and their communication styles
• When invoices are due
• Internal approval workflows
• Who is authorized to approve transfers

Then, at the right moment, they strike — crafting a perfectly targeted attack using real information harvested from inside the organization.

Why Account Takeover BEC Is Almost Impossible to Detect Without the Right Tools

The first two BEC variants (impersonation, invoice fraud) are addressable with email authentication (DMARC/DKIM/SPF), security awareness training, and email gateway tools.

The third variant — account takeover with silent monitoring — is different. The attacker:

• Uses a **legitimate, authenticated account** (no spoofing to detect)
• Creates **hidden inbox rules** using normal email features
• Generates **no malware, no phishing links, no suspicious payloads**
• Operates **at the configuration layer**, invisible to email content scanners
• **Persists through password resets** if the rules aren't removed

This is exactly why these attacks are so dangerous — according to the IBM Cost of a Data Breach Report 2023, the average time to identify a breach is 204 days.

The Hidden Forwarding Rule Pattern

When an attacker compromises an email account, their first move is almost always the same:

Step 1: Create a forwarding rule to send copies of all incoming mail to an external address they control.

Step 2: Create an inbox rule to auto-delete security notifications (IT alerts, MFA prompts, login notifications).

Step 3: Optionally, mark forwarded emails as read so the victim doesn't see unread counts piling up.

Step 4: Log out and wait.

Here's what makes this particularly dangerous for organizations using Microsoft 365 or Google Workspace: these rules are set using completely normal platform features. There's no malware. There's no exploit. It's a legitimate user creating legitimate email rules — except the "user" is an attacker.

In Microsoft 365, this can be done via:

• Outlook Web Access rules interface
• PowerShell (`New-InboxRule`, `Set-Mailbox -ForwardingAddress`)
• Microsoft Graph API
• Exchange Web Services (EWS)

In Google Workspace:

• Gmail filters interface
• Gmail API
• IMAP (in some configurations)

Building a BEC Detection Framework

Effective BEC detection — especially for the account takeover variant — requires visibility into your email configuration layer, not just message content.

Layer 1: Detect Forwarding Rules in Real Time

Every forwarding rule in your organization should be inventoried and validated:

• **Who set it?** Is this a user who would legitimately forward email?
• **Where does it forward?** Is the destination domain on an approved list?
• **When was it created?** Recent rules on executive accounts should trigger immediate review.
• **What does it forward?** Rules targeting financial keywords (invoice, wire, payment) are high-risk.

Tools to use: Microsoft 365 Admin Center (Security & Compliance), Google Workspace Admin Console, or automated scanning tools that enumerate all rules across all users.

Layer 2: Monitor Rule Changes

Point-in-time audits aren't enough. You need continuous monitoring:

• Alert on any new forwarding rule created, especially to external domains
• Alert on rules that delete, hide, or auto-forward sensitive emails
• Alert on any changes to forwarding settings at the account level
• Correlate rule creation events with authentication anomalies (new device, impossible travel, off-hours login)

Layer 3: Tenant-Level Enforcement

Beyond individual mailbox monitoring, enforce policy at the organizational level:

• Disable external auto-forwarding by default (Microsoft's "Transport Rule" or Google's "Prevent users from automatically forwarding email")
• Require admin approval for any forwarding configuration changes
• Enable unified audit logging so you have a record of all rule changes

Layer 4: Response Playbooks

When a suspicious rule is detected, have a documented response:

1. Immediately disable the rule
2. Review the rule's history — when was it created? What was forwarded?
3. Check for other signs of account compromise (login anomalies, sent mail review)
4. Force MFA re-enrollment and session invalidation
5. Notify the affected user and conduct a brief interview
6. Document everything for potential law enforcement or cyber insurance claims

The Numbers That Should Motivate Action

• **$2.9 billion** in BEC losses in 2023 (FBI IC3)
• **204 days** average time to identify a breach (IBM Cost of a Data Breach 2023)
• **73%** of BEC attacks involve some form of email rule manipulation
• **$125,000** average loss for small business BEC incidents
• Attacks **persist through password resets** if forwarding rules aren't removed

What to Do This Week

You don't need a massive security program to start closing this gap. Here's what you can do immediately:

1. **Run an audit of all forwarding rules in your M365 or Google Workspace tenant.** Start with executives and finance team members.
2. **Check for rules that delete or hide emails.** These are often used to suppress security notifications during an attack.
3. **Review the "auto-forward to external domain" setting** at the tenant level. If it's enabled and you don't have a specific business reason, disable it.
4. **Set up audit logging** for mailbox rule changes. Both platforms support this — make sure the events are being captured.
5. **Consider automated monitoring.** Manual audits catch what exists today, but you need continuous detection to catch rules created tomorrow.

The Bottom Line

Business email compromise isn't going away. If anything, it's becoming more targeted and more financially devastating as attackers get better at the account takeover + silent monitoring variant.

The good news: the detection strategy isn't complicated. It requires visibility into a layer of your email environment that most organizations simply haven't been monitoring — the configuration layer.

Once you have that visibility, you can catch the attack on day one instead of day 197.

MailBreach provides continuous scanning of email forwarding rules and inbox configurations across Microsoft 365 and Google Workspace — the exact visibility you need to detect account takeover BEC before it becomes a wire fraud headline.