Business Email Compromise (BEC) is a category of cyberattack in which an adversary gains access to a corporate email account and uses it to defraud the organization, its partners, or its customers. Unlike phishing campaigns that cast a wide net, BEC operations are targeted, patient, and financially devastating. The FBI's Internet Crime Complaint Center reported $2.9 billion in adjusted losses from BEC in 2023 alone, with cumulative global losses exceeding $51 billion since tracking began in 2013.
How BEC attacks work
A BEC attack typically begins with credential theft — through phishing, password spraying, or token hijacking — followed by a period of silent observation. The attacker studies communication patterns, identifies high-value targets, and waits for the right moment to intervene. Once positioned, they execute one of several well-documented playbooks.
Common BEC attack types
- •CEO fraud: The attacker impersonates a senior executive and instructs an employee — usually in finance or accounting — to wire funds to a controlled account. These requests are crafted to appear urgent and confidential.
- •Vendor impersonation: After compromising a vendor's email, the attacker sends fraudulent invoices or updated payment instructions to the vendor's customers. The email comes from a legitimate address, making detection extremely difficult.
- •Forwarding rule abuse: Rather than sending emails directly, the attacker creates hidden mail-flow rules that silently copy or redirect messages to an external address. This allows persistent access to sensitive communications without triggering login alerts.
- •Account compromise with lateral movement: The attacker uses a compromised mailbox to send internal phishing emails to other employees, expanding their foothold across the organization.
- •Attorney impersonation: Posing as legal counsel, the attacker pressures employees into completing transactions quickly under the guise of a confidential legal matter.
Why traditional email security misses BEC
Secure email gateways and spam filters are designed to block malicious payloads — attachments, links, and known-bad senders. BEC emails rarely contain any of these indicators. They are plain-text messages sent from legitimate accounts with no malware attached. Anti-phishing tools that rely on sender reputation, URL scanning, or attachment sandboxing have no signal to act on. The attack lives in the business logic of the message, not its technical envelope.
The forwarding rule blind spot
One of the most dangerous aspects of BEC is the attacker's ability to create server-side forwarding rules or hidden MAPI-level inbox rules that persist long after the initial compromise is remediated. Even if the password is reset and the session is revoked, these rules continue to silently exfiltrate email. Many organizations discover months later that sensitive communications were being forwarded to an external address the entire time.
Detection strategies that work
- •Audit all mail-flow rules across every mailbox in the tenant, not just those visible in the admin center. MAPI-level rules and transport-level forwarding are often invisible to standard tooling.
- •Monitor for rules that forward, redirect, or delete messages — especially those targeting specific keywords like "invoice," "payment," or "wire."
- •Correlate rule creation timestamps with sign-in logs to identify rules created during suspicious sessions.
- •Implement continuous scanning rather than one-time audits. Attackers frequently re-establish forwarding rules after remediation.
- •Enforce conditional access policies that limit rule creation from unmanaged devices or unfamiliar locations.
BEC is not a technology problem solved by a single product. It requires visibility into email configuration at the tenant level — the exact layer where forwarding rules, inbox filters, and delegate permissions live. Organizations that treat BEC as purely a phishing problem will continue to miss the persistence mechanisms that make these attacks so damaging.