Most people picture a breach as something loud: locked screens, ransom notes, alarms. Business Email Compromise is the opposite. It's quiet. An attacker gets into a mailbox with a valid password, sits there reading email for days or weeks, learns how your business talks about money, and then waits for the right invoice to redirect.
By the time anyone notices, the wire transfer has already cleared.
How it actually happens
There's rarely any malware involved. The chain usually looks like this:
- A phishing email harvests a username and password, often through a fake Microsoft 365 login page.
- The attacker logs in — frequently from a rented server overseas — and the login looks ordinary because the credentials are real.
- They create hidden inbox rules that auto-delete or auto-file specific messages, so the real owner never sees the replies.
- They watch. When a genuine invoice or payment thread appears, they step in, change the bank details, and let the conversation continue as if nothing changed.
The hidden rules are the part most owners never discover on their own. In one investigation we ran for a construction client, the attacker had planted twelve separate inbox rules to keep the victim blind to the fraud while it played out.
How the attack unfolds in red — and where it gets stopped in cyan.
- 01
Phishing email
A fake Microsoft login page harvests a password.
- 02MFA blocks the login
Account takeover
The attacker signs in with the real, stolen password.
- 03Rule-creation alert fires
Hidden inbox rules
Replies auto-delete, so the owner never sees them.
- 04
Invoice swapped
Bank details are quietly changed on a real invoice.
- 05Out-of-band check stops it
Wire redirected
The payment lands in the attacker's account.
Why small businesses get hit
It isn't that you're a bigger target than a Fortune 500. It's that you're a softer one. Large organizations enforce multi-factor authentication, watch their sign-in logs, and have someone paid to notice. A smaller business running on default Microsoft 365 settings usually has none of that switched on, even though the tools to do it are already included in the license you pay for every month.
What protects you
The good news: for all the damage it does, BEC is one of the most preventable serious threats out there. In rough order of impact:
- Enforce multi-factor authentication on every account. This single control stops the majority of credential-based logins cold.
- Turn on Conditional Access to block sign-ins from regions you never operate in and from anonymized networks.
- Alert on inbox-rule creation. New mail-forwarding or auto-delete rules should generate a notification, not pass silently.
- Verify payment changes out of band. Any request to change banking details gets confirmed by a phone call to a known number — never by replying to the email.
If you think it's already happening
Don't just reset the password and move on — that tips off the attacker without removing their access. The mailbox needs to be examined properly: hidden rules removed, active sessions revoked, sign-in logs reviewed, and the full timeline reconstructed so you know exactly what was exposed. That's forensic work, and doing it halfway often leaves a door open.
If you're staring at a suspicious payment right now, the fastest thing you can do is pick up the phone. We'll help you figure out what happened and shut it down, no sales pitch attached.