Office 365 Business Email Compromise Investigation Leads to Stronger Security

Client problem

A supervisor at a financial services company received an email request from a business associate. Despite recognizing the request was somewhat out of character, she clicked on a link in the email. Four days later, she discovered her computer was sending out a vast number of emails. Worse yet, the supervisor routinely works with sensitive personally identifying and financial information, and often communicates this information to other financial institutions.

In the meantime, the employee’s manager received a call from one of the company’s major clients saying they had received a strange email from this employee and it could be malicious. The manager immediately called her company’s data security hotline. After some initial investigation, the company’s external counsel was contacted to assist with a possible business email account compromise.

How Kroll resolved the problem
  • Upon being engaged by the client’s counsel, a Kroll forensics specialist immediately began analyzing the supervisor’s account remotely. 
  • Kroll confirmed the account had suffered unauthorized access for approximately four days, and that the attacker had relocated emails of interest to a benign subfolder of the supervisor’s email account – the “RSS feeds” folder. 
  • Kroll then reviewed the actions of the attacker to identify search terms that included W2, invoice, ACH, wire transfer, and payment, which allowed Kroll to understand a likely motivation of the unauthorized actor(s).

Delivering results
  • Kroll remediated the immediate threat and worked with the client to restore the supervisor’s account to a clean state.
  • When the cyber insurance provider who covered this event subsequently notified the manager of an increase in premiums and deductible, the manager launched an intensive employee awareness and training program and sought Kroll’s help to strengthen their systems.
  • They asked Kroll to test the program’s effectiveness by conducting a controlled phishing campaign.
  • The client was able to negotiate a new policy for more coverage at less cost.  

Don’t wait until a crisis. Kroll can help you better safeguard your data and strengthen your O365 environment today. Learn more here.

 

 
Office 365 Business Email Compromise Investigation Leads to Stronger Security 2019-02-13T00:00:00.0000000 /en/insights/publications/office-365-bec-investigation /-/media/kroll/images/publications/thumbnails/office-365-business-email-compromise.ashx publication {78D3F940-BF08-40FB-A7F6-B55FB2D9165B} {5E8C0E87-D870-470D-83BF-79A36084F0AD} {4109FC75-F0BD-410F-8D42-7A3E7F1E7A5B} {3C7B541B-9C46-4B7C-B32F-5171B3FA949B} {C93B6EB0-4997-4312-946E-FEAC23A47496} {000DE5BE-6355-408E-85E6-1C296A187DF5}

Related Services

Cyber Risk

Cyber Risk

End-to-end cyber security services provided by unrivaled experts.

Cyber Risk
Cyber Risk

Investigate and Respond

Identify vulnerabilities, intrusions and data ex-filtrations and provide recommended solutions.

Investigate and Respond
Cyber Risk

Computer Forensics

Expert computer forensic assistance at any stage of a digital investigation or litigation.

Computer Forensics

Insights