Business Email Compromise


Many New Zealand organisations are either anticipating, or have recently migrated, to a cloud-based email system. On deployment, the email system should be configured to protect against security risks. This guidance is targeted at small to medium sized organisations, who are on a Microsoft business plan. Further references will be published in future for other email vendors such as Google. Microsoft recommends that you complete the tasks listed below that apply to your service plan.

  • Set up multi-factor authentication
  • Train your users
  • Use dedicated admin accounts
  • Raise the level of protection against malware in mail
  • Protect against ransomware
  • Stop auto-forwarding for email
  • Use Office Message Encryption
  • Protect your email from phishing attacks
  • Protect against malicious attachments and files with ATP Safe Attachments


Once you have completed configuring the security in your email environment, review how secure you are by checking your Office 365 Secure Score. This tool assigns a score based on your regular activities and security settings. While you may not necessarily obtain the maximum score, Secure Score continually helps you to keep abreast of the changing threat landscape by protecting your environment. See “Introducing the Office 365 Secure Score”.

Another important area to review is Audit Log settings. If you suffer a business email compromise, audit logs are a critical source of evidence during a forensic examination. For  Microsoft environments, mailbox audit logging must be turned on for each user before activity will be recorded, see Enable mailbox auditing.


If you suspect that an email account has been compromised, act quickly as a live cyber-attack may be underway.  Common attack examples include email accounts being used to send Phishing attacks or SPAM. “Man in the Middle” is another common type of email attack, where a fraudster attempts to divert a payment into their own account.

Microsoft recommends the following response procedure.

  • Step 1 Reset the user’s password
  • Step 2 Remove suspicious email forwarding addresses
  • Step 3 Disable any suspicious inbox rules
  • Step 4 Unblock the user from sending mail
  • Step 5 Optional: Block the user account from signing-in
  • Step 6 Optional: Remove the suspected compromised account from all administrative role groups

A forensic examination will heavily rely on mailbox audit data to determine the extent of any compromise.  This data records which emails were accessed by the attacker, which enables you to inform affected parties that their information may have been breached.