BEC

What a BEC attack is

BEC (Business Email Compromise) covers several attack scenarios that all rely on exploiting a professional mailbox. The most frequent ones observed in 2025-2026:

• CEO fraud — impersonation of an executive to request an urgent transfer from the accounting team.
• Fraudulent wire transfer order — interception and modification of a legitimate client-supplier correspondence to redirect payment to an attacker-controlled account.
• Data theft via compromised mailbox — invisible reading of correspondence for weeks before any visible action.
• Banker impersonation — fake mail in the name of a known banker contact, asking validation of an operation.

How it happens

Three initial vectors dominate:

1. AiTM phishing (Adversary-in-the-Middle) which steals a user’s session cookie even with standard MFA.
2. Reused password compromise, exploited from a third-party data leak.
3. Social engineering — an assistant who clicks on a fake OneDrive or Microsoft 365 portal coherent with their work context.

How to protect against it

• Phishing-resistant MFA (FIDO2 / WebAuthn) on all privileged accounts.
• Strict Conditional Access (geolocation, device posture, user risk).
• Monitoring of hidden mailbox rules and forwarding rules.
• Out-of-band double-validation policy for any transfer above a defined threshold.
• 24/7 SOC that qualifies authentication anomalies and suspicious mailbox rule creation.

BEC at Hexceos

See our anonymised client case study forensic analysis of a BEC intrusion at a regional accounting firm.