THE ISSUE
It’s getting more difficult to detect when something’s wrong.
Cyber threats are increasing in sophistication, making them smarter, quieter, and harder to catch. One of the most damaging examples is Business Email Compromise (BEC), where attackers gain access to real business email accounts and use them to manipulate conversations, steal information, and redirect funds. The most alarming part is that users typically have no idea their accounts have been compromised, until it’s too late.
This case study highlights how Blackink IT’s proactive configurations, tools, and behind-the-scenes monitoring helped detect, stop, and remediate a BEC attack before it could escalate.
WHAT HAPPENED
Two users at a client organization received seemingly routine emails from a long-standing business partner. The messages included attachments and links that appeared legitimate, consistent with the ongoing relationship between both organizations. However, unbeknownst to the users, the partner’s organization had experienced a BEC. By interacting with the email (opening a link or attachment), inbox rules were silently created on their accounts.These rules were configured to mark incoming emails from the partner organization as read and move them to a hidden folder, effectively concealing future communication.
This tactic is commonly used by threat actors to hide their access to compromised accounts. By redirecting or deleting security alerts and internal messages, attackers can operate undetected for extended periods. For example, any follow-up emails from the partner organization notifying them of the BEC incident would be redirected and hidden. However, in this instance, Blackink IT’s monitoring tools detected the creation of these inbox rules and flagged the behavior as anomalous, as it had not been initiated by the users themselves.
Alerting also revealed that a previously unknown VPN service was used during login to the affected accounts. This indicated that the users’ credentials were harvested during the phishing attack. By leveraging a VPN service, the threat actor was able to mask the real location of the login, a common tactic used by foreign threat actors to make the login appear to come from an authorized geographical location. With Blackink IT’s configured tools, we were alerted to the use of the VPN service, allowing us to respond, investigate, and mitigate further damage by swiftly eliminating the threat actor’s access to the compromised account.
THE RESULTS
As both users were unaware of the compromise, without Blackink IT’s proactive detection and monitoring, this attack could have spread across the organization and potentially impacted external partners through proliferation of the phishing scam. Instead, we were able to detect the creation of inbox rules and suspicious VPN activity, and immediately revoke all active sessions tied to the compromised accounts, reset user credentials, and remove all malicious inbox rules.
With this proactive mindset and action, our client remained protected from further compromise, restored trust and confidence within the organization, and kept sensitive communication internally.
While BEC can be devastating to organizations, Blackink IT emphasizes the value of having the right managed service provider and security tools in place, not only to respond to threats, but to detect and prevent them before damage is done. This is what modern cybersecurity looks like: fast action, effective tools, and a team that’s always watching your back.
