Seven steps revisited: avoiding business email compromise in 2025

Almost five years ago, we published a four-part series of articles on business email compromise (BEC). Since then, a lot of things have changed: the world has recovered from a global pandemic, we face increasing geopolitical tension, artificial intelligence has become an omnipresent buzzword, and horses can now write your out-of-office messages. But some things have remained the same: BECs still account for the vast majority of cyber incidents, and they are just as disruptive as ever. Part of the reason for that is that a lot of organizations still don’t do enough to protect themselves from common types of BEC attacks. So we thought it would be a good time to revisit our list of critical steps that can help to significantly reduce the risk of falling victim to a BEC attack, or reduce the impact in the event of an incident. These steps are based on our risk assessment process and best practice guidance for Microsoft 365, and consider recent changes in the threat landscape and our observations from the hundreds of investigations we carry out every year.

1. Activate multi-factor authentication (and consider passwordless)

Multi-factor authentication (MFA) remains the top recommendation to prevent account compromise. While MFA doesn’t provide absolute and unqualified protection from BEC attacks (we nowadays often see threat actors being able to phish/bypass MFA as well), it makes it significantly more challenging than just guessing a password correctly. However, a 2024 survey of nearly 2,300 small and medium-sized businesses found that 65% were still not using MFA with no plans to implement it in the near future, which is consistent with what we see during our investigations. While Microsoft has begun enforcing MFA for administrative accounts, you can be ahead of the game by enabling it to protect ideally every user in your organisation. If you can’t enable MFA immediately, work out whether it can at least be rolled out incrementally to certain groups, users, or application – partial MFA is better than no MFA.

After multi-factor authentication, the next step in making user accounts resilient against phishing attacks is going passwordless. With this type of authentication, the password is removed from an account altogether and replaced with, for example, some sort of operating-system-level authentication flow, a passkey saved to a user’s device, or a physical hardware token. The idea behind it is that instead of relying on the user (and potentially a threat actor!) knowing a secret such as a password, authentication is performed by proving physical ownership, which is much harder for a threat actor get hold of as it cannot be obtained through classic phishing. The implementation of passwordless authentication varies in complexity depending on the chosen method, but as with MFA, if you cannot roll it out to all users at once, consider starting with the users that have the highest risk to your business associated with them, such as administrators, executives and members of the finance and HR teams.

2. Deploy device-based identity controls

Similar to the concept of passwordless authentication, tying authentication to known devices registered with the respective user account means that logins require a certain proof of identity. Therefore, even when no MFA is in place for an account, a threat actor will be unable to log in with the account’s password from their own device. Regardless of whether your organisation issues devices to your users or if you have a “bring your own device” policy, both can be registered with Microsoft Intune and authentication policies can then be used to require a registered device to sign in. As a next step, administrators can consider also enforcing compliance of devices, for example by requiring a specific device type or operating system version, and block logins from devices that might be outdated and vulnerable themselves.

3. Address the risk from third-party apps

Administrators can be surprised to find out that users have full rights to connect new third party apps, and can provide full consent for the app to access their account and data. While this is convenient to the end user, delivering the capabilities of a wide range of services at the touch of a button, it also presents serious risks to security. As organisations implement strong authentication, threat actors with a valid username and password will no longer be able to log into accounts when they choose. But if a user grants access to a malicious third party app linked to a phishing email, the threat actor can bypass any MFA tied to the account. Administrators should close down this avenue of attack by preventing users from consenting to new apps on behalf of their organisation. Minor configuration changes in Microsoft 365 enable users to request access to new apps through an approval process overseen by an administrator.

4. Reduce the phishing and social engineering threat

No method of strong authentication or access policies can ever fully eradicate the threat, which means that common techniques such as phishing and social engineering will always have a chance of success, especially in a world where environments have increasingly shifted to hybrid and remote work. Attackers can make use of commercial phishkits and generative AI to send technologically advanced and convincing phishing emails easily, and thus the amount of phishing has reportedly increased by 49% since 2021. Administrators should implement technical measures to detect and block phishing emails, and can start by using the built-in capabilities of Microsoft 365. But as the human factor remains critical for the success of most BEC, organisations also need to implement controls focused on people and processes. Staff awareness can be improved through communications, live simulations and training (particularly in cyber security, social engineering techniques and common cyber fraud schemes), and integrated solutions exist that combine these aspects for ease of use.

5. Use the security capabilities of your subscription

Many organisations use third-party security platforms to enhance their security, perform phishing training or implement data-loss prevention controls. Especially smaller teams, however, might not have the resources to acquire and maintain them. Thankfully, Microsoft regularly updates and adds security features and solutions that are included directly with M365. For example, the security defaults feature is included in every Microsoft 365 tenant, yet we often observe that organizations have not enabled it. For more advanced security, administrators should also check if their organisation makes use of all add-on security features available for their respective type of subscription, such as Conditional Access and Defender for Office 365. The Microsoft Secure Score, included in all available subscriptions, also is a great way to check for risks and obtain targeted recommended actions for improving the security posture of an environment.

6. Disable insecure or unused authentication methods

Certain legacy authentication protocols such as POP3, IMAP and SMTP are inherently insecure, having been designed at a time before modern cyber attacks had been dreamt of, and thus do not support modern security standards like MFA. Two years ago, Microsoft completed a multi-year process to automatically block all legacy protocols in Exchange Online environments, except for SMTP which is still supported until late 2025. If you do not use applications that rely on SMTP, for example for sending automated emails from services, this can and should be disabled manually. If you do, you should consider switching those applications to a more modern way of sending messages as soon as possible.

As environments start to implement more secure methods of authentication, threat actors targeting Microsoft 365 accounts have started to use more unusual techniques in phishing attacks, such as abusing the device-code authentication flow. This mechanism is intended to facilitate logins on devices that do not have a keyboard, such as TVs or conference equipment. The device displays a code that the user enters on their phone and then authenticates there instead of directly on the target device. If this target device is under the control of a threat actor, however, they can gain access to an account without needing to capture the credentials or bypass MFA. If you don’t have accounts that legitimately need this authentication flow, it is best to block it to eliminate yet another potential compromise method.

7. Activate audit logging

Audit logs are an important source of information, both when troubleshooting issues on your tenant as well as when actively responding to an incident. For Microsoft 365 environments, event are collected from all Microsoft services in the Unified Audit Log (UAL) and retained for 180 days or even a full year depending on the subscription level. This makes it a great one-stop shop for investigating activity in your tenant. The UAL is turned on by default for organizations nowadays; however, this has not always been the case and especially older tenants might find themselves with this crucial log source disabled. In our investigations, we sometimes have to work with very limited data due to logging being disabled, limiting visibility into what a threat actor has done during the period of compromise. Administrators should verify whether the audit logging is enabled in their environment and turn it on if it is not. There are no downsides or additional costs for having audit logging enabled, making it a simple yet effective step to better equip your organisation with crucial visibility into your environment.

Find out more

Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.

If you are the target of an active business email compromise attack, please request emergency assistance immediately.

Asceris offers a proactive risk assessment for Microsoft 365 environments. We prepare a detailed report that covers a wide range of critical security features and controls, taking into account both environment-level risks and user-level risks. Our assessments are based on our experience of responding to hundreds of Microsoft 365 business email compromise incidents.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.