Office 365 Business Email Compromise Investigation Leads to Stronger Security

Client problem

A supervisor at a financial services company received an email request from a business associate. Despite recognizing the request was somewhat out of character, she clicked on a link in the email. Four days later, she discovered her computer was sending out a vast number of emails. Worse yet, the supervisor routinely works with sensitive personally identifying and financial information, and often communicates this information to other financial institutions.

In the meantime, the employee’s manager received a call from one of the company’s major clients saying they had received a strange email from this employee and it could be malicious. The manager immediately called her company’s data security hotline. After some initial investigation, the company’s external counsel was contacted to assist with a possible business email account compromise.

How Kroll resolved the problem
  • Upon being engaged by the client’s counsel, a Kroll forensics specialist immediately began analyzing the supervisor’s account remotely. 
  • Kroll confirmed the account had suffered unauthorized access for approximately four days, and that the attacker had relocated emails of interest to a benign subfolder of the supervisor’s email account – the “RSS feeds” folder. 
  • Kroll then reviewed the actions of the attacker to identify search terms that included W2, invoice, ACH, wire transfer, and payment, which allowed Kroll to understand a likely motivation of the unauthorized actor(s).

Delivering results
  • Kroll remediated the immediate threat and worked with the client to restore the supervisor’s account to a clean state.
  • When the cyber insurance provider who covered this event subsequently notified the manager of an increase in premiums and deductible, the manager launched an intensive employee awareness and training program and sought Kroll’s help to strengthen their systems.
  • They asked Kroll to test the program’s effectiveness by conducting a controlled phishing campaign.
  • The client was able to negotiate a new policy for more coverage at less cost.  

Don’t wait until a crisis. Kroll can help you better safeguard your data and strengthen your O365 environment today. Learn more here.



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.