Case Study

Business Email Compromise Incident Response with Digital Forensics for a Small Montana Organization

Overcoming Barriers to Success

The Challenge

A Montana organization with fewer than 10 employees suffered a business email compromise that led to a fraudulent wire transfer of around $70,000. The compromise centered on a finance mailbox where the attacker successfully pushed a bank account change for an otherwise legitimate payment.

An IT provider had previously attempted to remediate the incident, but their work left persistent access in place, omitted critical logging, and altered evidence needed to fully understand the attack.

The organization was on Microsoft 365 with limited controls, minimal logging, and no EDR or modern antivirus in place. The incident was brought to our team 80 days after the initial compromise, well after the money had left the account, raising concerns about ongoing access and unknown exposure.

Action Plan for Success

Goals

The organization needed to determine whether the attacker still had access, how long they had been in the environment, and whether any additional accounts or systems were affected. They also needed a defensible forensic record of what happened to support law enforcement and potential insurance or legal needs.

At the same time, leadership wanted to ensure this could not happen again by hardening Microsoft 365, increasing logging and monitoring, and improving both technical controls and user awareness without overcomplicating a very small environment.

Identifying Key Dependencies

Needs

To meet these goals, the client required a true digital forensics and incident response engagement, not another quick “cleanup.” That meant deep analysis of mailboxes, devices, and browser artifacts to reconstruct the attack path and timeframe. They also needed proper logging enabled across cloud services so future incidents could be detected and investigated quickly.

Finally they needed a stronger security baseline for Microsoft 365 including strong authentication, automated response to suspicious activity.

The Solution

We engaged as a new DFIR provider focused on the existing Microsoft 365 tenant and the compromised finance workstation. Our scope included mailbox and message‑level forensics, device and browser analysis, and a review of cloud sign‑in activity and configuration. The engagement emphasized preserving and analyzing what evidence remained, despite the previous provider’s actions.

From there, we designed a set of security and logging improvements tailored to a small organization: year long logging across cloud platforms, better controls around identity and access, automated account protections for phishing events, and end user security awareness training.

Step-by-Step Execution

Actions We Took

We began by collecting and analyzing PST exports and email headers from the compromised mailbox, along with related accounts that could have been affected. We examined mailbox rules, forwarding rules, OAuth applications, and Microsoft 365 sign‑in logs for signs of ongoing or lateral activity. Because some evidence had been altered or missed by the prior IT provider, we leaned heavily on device and browser forensics to reconstruct the attack timeline; browser and Outlook PST artifacts ultimately provided the clearest picture of when and how the account was accessed.

Our investigation confirmed a phishing email as the entry vector and showed that the attacker had access for nearly 90 days, including a period of persistent access for more than a week after the previous provider’s “cleanup,” due to sessions not being revoked.

Once the scope was clear, we fully revoked sessions, rotated credentials, and enforced multifactor authentication on all accounts. We enabled one year of logging across relevant cloud platforms and implemented identity threat detection and response controls to automatically lock or protect accounts if they are phished. We also delivered security awareness training focused on business email compromise and worked with the organization to coordinate with law enforcement.

The Results

The organization fully removed the attacker’s access and confirmed that no additional fraudulent payments were initiated after containment. Time to contain was reduced dramatically from the original multi week persistence to a controlled and documented closure, and no new compromised accounts were identified beyond the original finance mailbox.

Microsoft 365 was significantly hardened: MFA was enforced for all users, long term logging was enabled, and ITDR controls were put in place to react quickly to suspicious sign‑ins and phishing activity. The organization gained clear evidence for law enforcement and any future insurance processes, including a documented timeline, attack vector, and actions taken.