BEC Defense

BEC Defense — outside the perimeter and inside your tenant

Business Email Compromise is the highest-loss cyber crime category tracked by the FBI. Defending against it requires both external email authentication hygiene (so attackers cannot impersonate you) and internal tenant audit (so attackers cannot persist inside you). LeakTrace covers both, in one product.

Live counter · FBI IC3 baseline
Cumulative reported BEC losses, 2013 to today
$55,490,000,000
Source: FBI IC3 PSA I-061124-PSA (June 2024) · IC3 2023 Internet Crime Report
Year to date $0 +$93.54/sec since Jan 1
What we surface 6 outcomes
Inbox rule persistenceDetected Auto-forwarding to attackerDetected MFA bypass via long sessionsDetected Impossible travel sign-insDetected SIM-swap on executive accountsDetected Tenant-wide email spoofingBlocked at DNS layer
BEC kill chain coverage 7 stages
Stage Attacker action Our coverage
01ReconnaissanceIdentify the target's email tenant and authentication postureExternal audit — SPF, DMARC, DKIM, MTA-STS audit on the public domain
02Initial accessPhishing email lands in employee inbox impersonating a vendor or executiveExternal audit — DMARC enforcement check; spoofed mail rejected at the receiving mail server
03Credential theftUser enters credentials on an adversary-in-the-middle proxy pageUser education plus Mailbox Shadow Audit sign-in anomaly detection — detected post-event, not prevented
04MFA bypassSession cookie replayed; MFA never re-promptedMailbox Shadow Audit — Conditional Access policy review, session lifetime audit, token binding posture
05PersistenceInbox rule auto-deletes or hides replies from the real recipientMailbox Shadow Audit — Inbox rule audit across every mailbox in the tenant
06DiscoveryAttacker reads invoice and payment threads to learn vendor cadenceMailbox Shadow Audit — Mailbox audit log review for anomalous reads and search activity
07ExfiltrationWire fraud or vendor invoice swap; redirected funds leave the buildingMailbox Shadow Audit — Forwarding rule and external recipient detection on every account
We cover 6 of 7 BEC kill chain stages directly. Stage 3 — adversary-in-the-middle cookie theft — is detected post-compromise via sign-in anomaly review; prevention requires phishing-resistant MFA on the customer side, which we audit for under auth_methods and conditional_access.
Why your existing security stack doesn't stop BEC 6 layers

BEC happens after the perimeter. By the time the attacker is creating an inbox rule or wiring fraud, every prevention control you bought has already done its job and let them through. The FBI tracked over $55 billion in losses across tenants that were, by every standard measure, secure. Here's what each layer of your stack does — and what it misses.

Stack layer What it does What it misses
Multi-factor authentication (MFA)Verifies a second factor at sign-inAiTM session-cookie theft. The attacker steals the cookie after MFA passes — for the cookie's lifetime, the attacker is authenticated. FBI: 80%+ of BEC victims had MFA enabled.
Email security gatewayFilters inbound malicious emailThe inbox rule the attacker created after getting in. The forwarding config silently routing invoices out. Anything inside the tenant.
Endpoint detection (EDR)Detects malware on laptops and serversThe cloud tenant. EDR has no agent inside Microsoft 365 or Google Workspace. BEC happens entirely in the tenant.
SIEM / log aggregationAggregates logs for correlationThe specific BEC patterns: impossible travel, MFA fatigue, new inbox rule, recent device — all chained. Default rules don't catch the chain.
SOC 2 / ISO 27001 auditValidates org-level controlsPer-user mailbox config. A SOC-2-clean tenant can have a CEO's inbox auto-forwarding to gmail.com right now.
Cyber insurancePays out after a covered loss"Social engineering" exclusions are expanding. Major carriers tightened BEC coverage across 2024–2025 renewals. Many recent payouts have been reduced or denied.
Mailbox Shadow Audit assumes the attacker is already past the perimeter — and audits the tenant for what they would have done next. That's the gap your existing stack doesn't cover.

Sources: FBI IC3 PSA I-061124-PSA (2024), Microsoft Digital Defense Report 2023, Verizon DBIR 2024.

Per-check coverage with MITRE ATT&CK mapping 8 audits
Audit What we look for MITRE ATT&CK
Inbox rule auditHidden auto-forward to attacker; rules that move mail to RSS Feeds, Conversation History, or Deleted ItemsT1564.008
Forwarding configTenant-wide external forward enabled; SMTP forwarding to a non-business domainT1114.003
MFA enrollmentNo MFA registered, or SMS-only MFA, on executive and finance accountsT1078.004
Auth methodsPhone numbers registered in non-business country codes; voice-call MFA on privileged accountsT1098.001
Conditional AccessLegacy authentication not blocked; no geographic restriction; no risky sign-in policyT1078.004
Sign-in logsImpossible travel; MFA fatigue spray; sign-ins from Tor exit nodes or hosting ASNsT1110.003
DevicesStale registered devices; generic device names that suggest BYOD without enrollmentT1098.005
Session lifetimeCookies long-lived past acceptable thresholds; Continuous Access Evaluation disabledT1539
How it works 3 steps
Step 01
External scan
Paste your domain. We score SPF, DMARC, DKIM, MTA-STS, TLS-RPT, BIMI, and DNSSEC, then synthesize a BEC Susceptibility Score.
Free · 30 seconds · no signup
Step 02
Connect tenant
After purchase, you grant a read-only OAuth connection to your Microsoft 365 or Google Workspace tenant. No write scopes, no mailbox content stored.
5 minutes · revocable any time
Step 03
Audit and report
Eight audits run automatically. You get severity-ranked findings, a written PDF report, and remediation calls included.
~10 min runtime
Sample finding Inbox rule auto-forward
Mailbox Shadow Audit — Finding F-04 of 12
High severity

External auto-forward rule on a finance mailbox

Audit: Inbox rule audit Affected account: ap@<tenant>.com MITRE: T1564.008 First observed: 14 days ago
Observation

An inbox rule on the accounts payable mailbox forwards every message containing the words invoice, wire, or routing to an external Gmail address, then moves the original message to the RSS Feeds folder. The rule is owner-set, was created outside the configured maintenance window, and is invisible from the user's main inbox view.

Rule definition (read-only export)
# Get-InboxRule output, sanitized Identity : [email protected]\\auto-archive-invoices Enabled : True SubjectContains: [invoice, wire, routing] ForwardTo : [email protected] MoveToFolder : RSS Feeds MarkAsRead : True StopProcessing: True
Why this matters

This is the textbook persistence pattern that follows credential compromise on a finance role. The attacker silences vendor replies so the legitimate user never sees the conversation, and stages a wire-fraud or invoice-swap for the next vendor cycle. Average dwell time before discovery in cases we have triaged is between 9 and 22 days.

Recommended remediation

Disable the rule, force a credential and session reset on the affected account, audit the last 30 days of sent items and sign-in logs for the same mailbox, and apply a tenant-wide policy that blocks the creation of inbox rules with external forwards. We walk you through each step on the included remediation call.

Free

Run a BEC Score on your domain

$030 seconds, no signup

External email authentication audit only. You see the SPF, DMARC, DKIM, MTA-STS, TLS-RPT, BIMI, and DNSSEC posture, plus the synthesized BEC Susceptibility Score for your domain.

  • Public DNS-layer audit
  • BEC Susceptibility Score 0–100
  • Specific failed records called out
  • Remediation language you can paste to your IT
Run free scan
Paid

Mailbox Shadow Audit included

$697one-time, with every paid audit

Everything in the free scan plus the read-only tenant audit: 8 internal checks across inbox rules, forwarding, MFA, devices, sign-in logs, conditional access, and session lifetime — with a written PDF report and remediation calls included.

  • Read-only OAuth to Microsoft 365 or Google Workspace
  • 8 internal audits, severity ranked
  • Written PDF report with MITRE mapping
  • Remediation calls included
See pricing
Methodology and privacy
Read-only scopesThe OAuth grant is scoped to read-only directory, audit log, mail rule, and sign-in metadata. No mailbox content is read or stored. No write scope is ever requested.
Tokens encrypted at restOAuth refresh tokens are encrypted at rest with a per-tenant key. The audit pipeline holds them only long enough to enumerate the eight checks, then sleeps until the next scheduled audit window.
You can revoke any timeYou can revoke our access from your Microsoft 365 or Google Workspace admin console at any moment. Revocation invalidates our tokens immediately; the next audit cycle silently fails closed.

External email authentication checks follow the published standards: RFC 7208 Sender Policy Framework, RFC 7489 Domain-based Message Authentication, Reporting and Conformance, RFC 6376 DomainKeys Identified Mail, RFC 8461 SMTP MTA Strict Transport Security. Internal tenant audits use the published Microsoft Graph and Google Workspace Admin SDK endpoints only.