One post tagged with "BEC"

Almost every M365 BEC investigation I have worked follows a similar pattern: someone clicks a link, credentials get harvested, and the attacker spends the next several days quietly reading email. The entry point is obvious by the time it surfaces. What takes longer to find is the persistence mechanism the attacker left behind. Most of the time, that mechanism is a single inbox rule sitting in the compromised mailbox with a name that looks like a typo.