Incident Response Timeline - Business Email Compromise

Adversary (Attacker)

Arctic Wolf's Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team

Adversary (Attacker)

Arctic Wolf Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team

Business Email Compromise

Incident Response Timeline TIME TO DETECT: 19 MINUTES

Join us for our latest real-world incident timeline launch as we walk you through an email account takeover on a customer in the manufacturing industry, how the Arctic Wolf team detected the attacker in only 19 minutes with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.

START HERE

SOURCE:

Adversary 12:57

Attack begins on [CUSTOMER] with attacker leveraging previously stolen [USER1] credentials acquired via phishing email. Attacker pushes a Duo multifactor authentication request to [User1].

Not aware of the consequences, [User1] accepts the Duo multifactor push from attacker.

The attacker uses the successful login to establish

ActiveSync with [User1]’s mailbox.

The impact of Email Account Takeover

Organiaations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business. 

Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world. 

*FBI.gov

12:57

SOURCE:

DUO 12:57

The Arctic Wolf Platform logs MFA successful for [USER1] with

Duo as the source.

Account takeover incidents as a share of fraudulent activity in the financial services industry alone rose by 19 percentage points in 2020 compared with 2019, according to new figures from *Kaspersky. *usa.kaspersky.com

12:57

19 minutes since initial activity:

Attacker ACTIVE 13:16

Attacker opens existing calendar event for “Best Practises Training” and updates with their own information.

Attacker begins adding forward and delete rules to [User1] inbox. 

13:16

The FBI defines 5 major types of BEC scams:

CEO Fraud

Attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.

*FBI.gov

Account Compromise

An employee’s email account is hacked and is used to request payments to vendors.

*FBI.gov

False Invoice Scheme:

Attackers acts as if they are the supplier and request fund transfers to fraudulent accounts.

*FBI.gov

Attorney Impersonation:

 Attacker impersonates a lawyer or legal representative. Lower level employees are commonly targeted through these attacks.

*FBI.gov

Data Theft:

Attacks targeting HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.

*FBI.gov

SOURCE:

Office 365 Logs 13:16

Platform escalates incident after seeing rules being added and deleted on [User1] account

13:16

Triage Team Takes action:

Investigation Begins 13:18

The

Arctic Wolf Triage Team begins investigation into [User1] activity

13:18

Active Attack:

Ongoing Investigation 13:22

Attacker uploads phishing PDFs to OneDrive with intent to distribute emails to calendar invite attendees.

Attacker's Motive

Once attackers gain legitimate access to their target’s email account, the amount of information they have access to can be dangerous: email, calendar, key meetings with suppliers or customers, corporate directories, and shared files.

Attacker's Access

Attackers maintain access by creating email forwarding rules or changing account permissions, so they can closely monitor the target to create convincing attacks that mimic the standard business.

13:22

Customer Alerted

Escalation Begins 13:25

The Arctic Wolf Triage Team investigates and alerts [customer] that [User1] has been compromised. 

Arctic Wolf recommends [Customer] disables the account and forces a reset of credentials.

13:25

In Less Than 30 Minutes:

Remediation 13:25

[Customer] confirms that [User1] has been compromised and disables the account.

Next, the security journey continues

13:25

Security journey

with our concierge security team

Concierge Security Team works with customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.

With a complete understanding of your unique IT environment, the

With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

Arctic Wolf Concierge Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

REAL-WORLD EXAMPLES:

Business Email Compromise (BEC) Attack Methods

In the example above, credentials were stolen via phishing email. Do you think you or your company’s employees could spot the various types of email compromise methods that have been used in different attacks?

Attackers often pose as someone the recipient should trust—typically a colleague, boss or vendor

Even tech-savvy employees at some of the biggest tech & social media giants aren’t safe from BEC attacks and losses.

Between 2013 – 2015, Both Facebook and Google fell victim to BEC scam carried out by an individual claiming to be a hardware supplier. Using fake invoices, lawyer letters and contracts, the scam resulted in a collective loss of over $121M.

BEC attackers often use their stolen credentials and access to impersonate high-level leaders in companies.

In 2014, an employee at Scoular received an email he believed was from his CEO informing him that they were set to acquire a Chinese organisation. The result? The employee transferred over $17M into a bank account set up by the scammers.

In 2016, Snapchat was hit by a BEC attack in which the attacker impersonated the CEO to obtain payroll information. While not posing as a wire transfer fraud threat, highly sensitive employee data was breached. As a result, Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement.

BEC attacks rise as criminals seek to cash in on COVID-19 crisis

COVID-19 and the resulting uncertainty provided attackers with an easy cover for attacks.

The FBI released a press release in April 2020 warning of the rise in BEC schemes related to the COVID-19 pandemic.

In one example stated by the FBI, a bank customer was emailed by someone claiming to be a client. The client requested that all invoice payments be changed to a different bank because regular accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

Hackers Steal over $625,000 From Nonprofit and Get Away

In June 2021, San Francisco-based homelessness charity Treasure Island was infiltrated by hackers who broke into the email system of the nonprofit’s third-party bookkeeper, inserting themselves into existing email chains pretending to be people associated with the nonprofit.

The hackers manipulated a legitimate invoice for a loan to a partner and diverted over $625,000 into the cyber criminal’s account.

Since March, the volume of account takeover exposures has increased by 429 percent.

In the new normal of hybrid work environments account takeover risk is more serious than ever. Businesses should invest in account takeover risk solutions.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The 2024 Gartner® Market Guide for MDR Services provides a comprehensive overview of the evolving MDR landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035

Microsoft Patch Tuesday: April 2025

CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation

Company

Careers

Press

Adversary (Attacker)

Arctic Wolf's Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team

Adversary (Attacker)

Arctic Wolf Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team

Business Email Compromise

Incident Response Timeline TIME TO DETECT: 19 MINUTES

SOURCE:

Adversary 12:57

The impact of Email Account Takeover

Organiaations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business.

Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world.

SOURCE:

DUO 12:57

19 minutes since initial activity:

Attacker ACTIVE 13:16

The FBI defines 5 major types of BEC scams:

SOURCE:

Office 365 Logs 13:16

Triage Team Takes action:

Investigation Begins 13:18

Active Attack:

Ongoing Investigation 13:22

Attacker's Motive

Attacker's Access

Customer Alerted

Escalation Begins 13:25

In Less Than 30 Minutes:

Remediation 13:25

Next, the security journey continues

Security journey

with our concierge security team

Concierge Security Team works with customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.

REAL-WORLD EXAMPLES:

Business Email Compromise (BEC) Attack Methods

In the example above, credentials were stolen via phishing email. Do you think you or your company’s employees could spot the various types of email compromise methods that have been used in different attacks?

Attackers often pose as someone the recipient should trust—typically a colleague, boss or vendor

Even tech-savvy employees at some of the biggest tech & social media giants aren’t safe from BEC attacks and losses.

Between 2013 – 2015, Both Facebook and Google fell victim to BEC scam carried out by an individual claiming to be a hardware supplier. Using fake invoices, lawyer letters and contracts, the scam resulted in a collective loss of over $121M.

BEC attackers often use their stolen credentials and access to impersonate high-level leaders in companies.

In 2014, an employee at Scoular received an email he believed was from his CEO informing him that they were set to acquire a Chinese organisation. The result? The employee transferred over $17M into a bank account set up by the scammers.

BEC attacks rise as criminals seek to cash in on COVID-19 crisis

COVID-19 and the resulting uncertainty provided attackers with an easy cover for attacks.

The FBI released a press release in April 2020 warning of the rise in BEC schemes related to the COVID-19 pandemic.

Hackers Steal over $625,000 From Nonprofit and Get Away

In June 2021, San Francisco-based homelessness charity Treasure Island was infiltrated by hackers who broke into the email system of the nonprofit’s third-party bookkeeper, inserting themselves into existing email chains pretending to be people associated with the nonprofit.

The hackers manipulated a legitimate invoice for a loan to a partner and diverted over $625,000 into the cyber criminal’s account.

Since March, the volume of account takeover exposures has increased by 429 percent.

In the new normal of hybrid work environments account takeover risk is more serious than ever. Businesses should invest in account takeover risk solutions.

We can help.

Trending

Business Email Compromise & Account Takeover In the News

View the most recent news, updates, and videos from the cybersecurity experts at Arctic Wolf.

Organiaations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business. 

Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world. 

Earl Grey House
77 Grey St. 3rd Floor
Newcastle upon Tyne
NE1 6EF
UK