Business Email Compromise is the highest-volume incident type Macksofy DFIR sees across Indian SaaS, BFSI and mid-market manufacturing. The same playbook applies whether the attacker is after an invoice-redirect (CFO-spoof), a payroll-redirect (HR-spoof), or vendor-payment fraud. This runbook covers the technical containment and the financial-recall workflow — both matter, the second is often what saves the money.

1. Confirm the compromise — not every suspect email is BEC

Sign-in log review — risky sign-ins, impossible-travel, non-corporate ASN
Look for unusual MFA acceptance patterns (typical BEC uses adversary-in-the-middle phishing kit)
Mailbox audit log for inbox-rule creation by the user themselves (suspicious)
OAuth grant history — legitimate user rarely grants new third-party apps in an hour
Unified Audit Log + Sign-In Log + MailItemsAccessed entry from the user's IP-range

2. Contain — order matters

Revoke all sessions for the affected mailbox (Revoke-AzureADUserAllRefreshToken / equivalent)
Disable mailbox sign-in (cloud + on-prem if hybrid)
Reset password + require MFA re-registration
Audit inbox rules — delete attacker-created auto-forward / auto-delete rules
Revoke OAuth tokens for the user's enterprise apps
Block attacker IPs / ASN at Conditional Access
Check for delegate / mailbox-permission additions on the user's mailbox

3. Inbox-rule hunt — the BEC fingerprint

Almost every BEC actor creates one or more inbox rules to hide their activity. Standard patterns to hunt across the entire tenant:

Rule: forward to external address (especially recently-registered domain)
Rule: move to RSS Feeds / Archive / Conversation History on keywords like 'invoice' / 'wire' / 'payment'
Rule: delete inbound from specific senders (typically finance counterparties)
Rule: mark as read + move to Deleted (silences victim's view)
Hunt PowerShell: `Get-Mailbox -ResultSize unlimited | Get-InboxRule | Where-Object {$_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage}`

4. Financial-recall workflow — speed matters

Time elapsed	Recall probability	Action
< 4 hours	High	Call beneficiary bank fraud desk immediately; file FIR + cybercrime complaint same day
4–24 hours	Moderate	Bank fraud desk + cybercrime.gov.in complaint + RBI ombudsman if applicable
1–7 days	Low	Same as above + civil-recovery counsel + cyber insurance carrier notification
> 7 days	Very low	Recovery unlikely; focus on root-cause + insurance

Indian-context recall channels.

For India-domestic wire fraud: cybercrime.gov.in (Indian Cyber Crime Coordination Centre — I4C). Mandate the bank put a hold under the BNS / IT Act provisions. For cross-border: SWIFT recall through your own bank with MT599 message. RBI's 'Pay Net' framework provides additional escalation for inter-bank disputes.

5. Forensics — what to preserve for prosecution + insurance

Full unified audit log export (90+ days retained) covering attacker activity window
Sign-in log export covering impacted user(s)
Mailbox audit log entries for the user(s)
Snapshot copies of attacker-created inbox rules before deletion
Email message export (.eml) of the wire-instruction email + the conversation thread
Header analysis showing originating IP / spoofed display name
Endpoint forensic image of the user's machine if endpoint compromise is suspected

6. Regulatory reporting

CERT-In — file within 6 hours for cyber incident classification (BEC qualifies)
DPDP §16 — if customer / counterparty PII exposed, notification obligations apply
RBI / SEBI sectoral — if BFSI / regulated-entity affected
Cyber insurance carrier — under the policy's notice clause (typically 24-72 hours)
Cybercrime.gov.in (I4C) — for fraud-recall workflow
FIR with local cyber police — required for many insurance claims

7. Post-incident hardening (a 90-day plan)

Enforce phishing-resistant MFA (FIDO2 / certificate / passkey) for finance + exec roles
Disable basic / legacy auth across the tenant
Implement out-of-band callback verification for wire-instruction changes > defined threshold
DMARC enforcement (p=quarantine → p=reject) to prevent inbound spoof
Inbox-rule alerting via M365 Defender + auto-quarantine on suspicious patterns
Quarterly phishing-simulation campaign with BEC-style pretexts (see Macksofy Phishing Sim service)

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.