Back to Intelligence

BEC Defense: Detecting Underground Tactics, Account Compromise, and Cash-Out Networks

SA
Security Arsenal Team
June 30, 2026
7 min read

Business Email Compromise (BEC) has evolved well beyond the "Nigerian Prince" wire-transfer scams of the past. Based on recent intelligence from Flare regarding underground forum activity, we are seeing BEC mature into a sophisticated, service-based criminal economy. It is no longer just an email scam; it is a coordinated operation involving compromised legitimate accounts, meticulous financial research, and professional cash-out networks.

For defenders, this shift is critical. Traditional email gateways focused on payload delivery (malware/links) are often blind to these attacks because the attacker is using a trusted, authenticated identity. The threat lies not in the content of the spam, but in the behavior of the account holder. This post dissects the BEC kill chain as observed in underground markets and provides the detection logic necessary to catch these operations during the "financial research" and "cash-out" phases.

Technical Analysis

The modern BEC attack lifecycle, as revealed in recent underground forum monitoring, consists of three distinct phases:

  1. Initial Access & Brokerage: Attackers purchase or phish credentials for corporate email accounts, specifically targeting finance departments and executive assistants. These accounts are often sold as "fresh" or "verified" access in underground forums.

  2. Financial Research: Once inside, attackers do not immediately act. They perform "financial research"—searching historical emails for invoices, banking details, and ongoing vendor relationships. They understand the victim's billing cycles to time their fraudulent invoices perfectly.

  3. Cash-Out Networks: The funds are not sent directly to the attacker. Instead, they are routed through a complex web of "money mules" and cash-out services advertised in these same forums. These networks are designed to obfuscate the trail and liquidate funds before the fraud is detected.

Affected Platforms:

  • Cloud Email Providers: Microsoft 365, Google Workspace (primary targets for account takeover).
  • Financial Systems: Any system accessible via Single Sign-On (SSO) from the compromised email account.

Exploitation Status: While no specific CVE is required for this attack (it relies on valid credentials), we are observing active exploitation of trust relationships. The "vulnerability" here is the lack of behavioral baseline monitoring and the implicit trust placed in internal email correspondence.

Detection & Response

To combat BEC, we must pivot from detecting "bad emails" to detecting "abnormal behavior." We need to identify when a valid account starts behaving like a recon specialist or a money launderer.

SIGMA Rules

The following Sigma rules focus on the command-line automation often used to set up persistence (Inbox Rules) and the tools used to export data (Financial Research) from a compromised endpoint.

YAML
---
title: PowerShell Exchange Online Mailbox Rule Manipulation
id: 8a4b2c91-1d3e-4f5a-9b6c-7d8e9f0a1b2c
status: experimental
description: Detects PowerShell commands used to create or modify Inbox rules, a common BEC tactic to hide replies and fraudulent emails.
references:
  - https://attack.mitre.org/techniques/T1114/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1114.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_pwsh:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cmdlet:
    CommandLine|contains:
      - 'New-InboxRule'
      - 'Set-InboxRule'
      - 'Enable-InboxRule'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative mailbox management
level: high
---
title: Suspicious Mailbox Export via PowerShell
id: 9c5d3e02-2e4f-5g6a-0c7d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to export mailbox data using PowerShell, indicative of the "financial research" phase where attackers harvest invoice history.
references:
  - https://attack.mitre.org/techniques/T1114/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1114
logsource:
  category: process_creation
  product: windows
detection:
  selection_pwsh:
    Image|endswith: '\powershell.exe'
  selection_export:
    CommandLine|contains:
      - 'New-MailboxExportRequest'
      - 'Search-Mailbox'
      - 'Export-Mailbox'
  selection_target:
    CommandLine|contains:
      - '-TargetFolder'
      - '-TargetRootFolder'
  condition: all of selection_*
falsepositives:
  - Legitimate legal hold or backup exports
level: medium

KQL (Microsoft Sentinel)

This query targets the OfficeActivity table to detect the specific behaviors highlighted in the intelligence report: the creation of forwarding rules (to monitor fraud) and bulk message exports (financial research).

KQL — Microsoft Sentinel / Defender
// Hunt for BEC precursors: Rule creation and Message Export
OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation in ("New-InboxRule", "Set-InboxRule", "Update-InboxRule", "New-MailboxExportRequest", "Search-Mailbox")
| extend Parameters = iff(isnotempty(Parameters), tostring(Parameters), "")
| where Parameters contains "DeleteMessage" 
   or Parameters contains "MoveToFolder" 
   or Parameters contains "ForwardTo"
   or Operation contains "Export"
| project TimeGenerated, ClientIP, UserId, Operation, Parameters, RecordType
| extend Timestamp = TimeGenerated, Account = UserId, IP = ClientIP
| order by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for processes on the endpoint that may be interacting with theExchange Web Services (EWS) or running PowerShell scripts that automate mail manipulation. It looks for scripts running in memory that reference typical BEC keywords.

VQL — Velociraptor
-- Hunt for PowerShell processes performing BEC-related activities
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'powershell.exe'
  AND (
    CommandLine =~ 'InboxRule' OR
    CommandLine =~ 'MailboxExport' OR
    CommandLine =~ 'Set-CASMailbox' OR
    CommandLine =~ 'Connect-ExchangeOnline'
  )

Remediation Script (PowerShell)

If an account is suspected of being compromised, use this script to audit and disable suspicious inbox rules and forwarding immediately. This contains the "financial research" phase by stopping the attacker from hiding their tracks.

PowerShell
<#
.SYNOPSIS
    Audit and Disable Suspicious Inbox Rules for a User.
.DESCRIPTION
    Connects to Exchange Online to list all rules and disables any that forward emails
    or delete messages (common BEC persistence mechanisms).
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$UserPrincipalName
)

# Ensure Exchange Online module is installed and connected
# Connect-ExchangeOnline -UserPrincipalName $AdminCredential

Write-Host "[+] Auditing Inbox Rules for: $UserPrincipalName" -ForegroundColor Cyan

try {
    $rules = Get-InboxRule -Mailbox $UserPrincipalName -ErrorAction Stop

    if ($rules) {
        foreach ($rule in $rules) {
            $isSuspicious = $false
            $reasons = @()

            # Check for forwarding to external domains
            if ($rule.ForwardTo -or $rule.RedirectTo) {
                $isSuspicious = $true
                $reasons += "External Forwarding"
            }

            # Check for deletion of messages (hiding replies)
            if ($rule.DeleteMessage -eq $true) {
                $isSuspicious = $true
                $reasons += "Message Deletion"
            }

            # Check for moving to specific non-default folders
            if ($rule.MoveToFolder -and $rule.MoveToFolder -notmatch "Inbox|Deleted Items|Sent Items") {
                $isSuspicious = $true
                $reasons += "Suspicious Folder Move"
            }

            if ($isSuspicious) {
                Write-Host "[!] SUSPICIOUS RULE FOUND: $($rule.Name)" -ForegroundColor Red
                Write-Host "    - Reasons: $($reasons -join ', ')"
                
                # Disable the rule immediately
                Disable-InboxRule -Identity $rule.Identity -Mailbox $UserPrincipalName -Confirm:$false
                Write-Host "    - Action: Rule Disabled." -ForegroundColor Yellow
            }
            else {
                Write-Host "[-] Rule deemed benign: $($rule.Name)" -ForegroundColor Green
            }
        }
    }
    else {
        Write-Host "[Info] No Inbox Rules found for user." -ForegroundColor Gray
    }
}
catch {
    Write-Error "Failed to retrieve rules. Ensure you are connected to Exchange Online and have sufficient permissions."
    Write-Error $_.Exception.Message
}

Remediation

Based on the "Lessons from the Underground," immediate remediation must go beyond a simple password reset:

  1. Kill the Session: Force a sign-out of all sessions for the compromised user via the Admin Center. Attackers often maintain persistent cookies or refresh tokens.

  2. Audit Rules and Forwarding: As shown in the script above, attackers almost always set up Inbox Rules to delete replies from the victim (so the victim doesn't see the fraud alerts) or forward the reply to the attacker. This is a mandatory step in IR.

  3. Review Registered Devices: Check the "Devices" tab for the user in Entra ID (formerly Azure AD). De-register any unknown or mobile devices that should not have corporate email access.

  4. Implement Geo-Fencing: If the user claims to be in Dallas but the logs show access from Eastern Europe or a known VPN endpoint, block the region temporarily.

  5. Conduct a Financial Review: Work with the finance team to review all outgoing transactions initiated from the user's account during the compromise window (typically looking back 14 days).

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirbecoffice-365social-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.