Home / Case studies / BEC incident response · March 2026
Anonymised at our discretion — real Evisent engagement, March 2026
Case study · Incident response · Microsoft 365 account compromise

607 phishing emails. 48 minutes.
Contained by 6 AM.

On 18 March 2026, an attacker quietly compromised a Microsoft 365 account at an Australian business referred to here as Marlow Industries Pty Ltd. They sat dormant for eight days. Then at 4:20 AM on 26 March, they sent 607 phishing emails to 560 recipients across Australian Government, major listed retailers, healthcare networks and the client's entire customer base — in 48 minutes flat. Evisent traced, contained and shut down the attack the same morning.

See the AI Governance Bundle Or see Managed Security Request the redacted full report
Security operations centre
BEC · 26 MARCH 2026 · CONTAINED
607
Phishing emails sent
in 48 minutes
8 days
Attacker dwell time
before execution
560
Unique recipients
including govt + corporate
6 AM
Incident contained
same morning
"Account credentials were stolen days before the attack. The breach itself took 48 minutes. The eight days in between were silent reconnaissance."
The setup

A senior staff member's password was stolen. Then nothing happened — for eight days.

Marlow Industries is an Australian B2B business with around 50 staff and a wide contact network spanning federal and state government, major retailers, manufacturers, and healthcare providers. The company ran Microsoft 365 Business Premium with SMS-based multi-factor authentication and an incumbent IT provider. No Conditional Access policies blocking foreign sign-ins were in place; no real-time alerting on suspicious authentication events existed.

On 18 March 2026 at 02:22 AM Australian Eastern Daylight Time, the Microsoft 365 password of a senior member of the Sales team was used to sign in from an IP address in Nebraska, United States. The sign-in succeeded on the second attempt. No alert was triggered. The attacker read four emails and their attachments to harvest context — then went silent.

The engagement at a glance

Engagement type: Incident response (account compromise + BEC phishing)

Discovered: 26 March 2026, ~5:00 AM AEDT

Contained by: 5:56 AM AEDT (same morning)

Forensics window: 8 days reconstructed from Microsoft 365 Unified Audit Logs and Sign-In Logs

Status: Contained · 555 recipients notified · no payments fraudulently induced (RG confirmed)

The timeline · reconstructed from M365 Unified Audit Logs

Eight days of silence. 48 minutes of damage. 90 minutes to containment.

The exact sequence below was reconstructed by Evisent from Microsoft 365 audit data after the incident was detected. Times are AEDT. Geographic indicators show the sign-in IP origin for each event.

Phase 1 Normal account activity — pre-breach baseline
16–17 Mar 2026
Account used normally by the staff member. Sign-ins from a single Australian IP address consistent with their typical work location.
115.64.72.106AU
Phase 2 Initial breach — credential theft + reconnaissance
18 Mar · 02:22:11 AM
Failed login from a US IP address. Attacker testing the stolen credentials.
162.220.234.41US/NE
18 Mar · 02:22:13 AM
Successful login — account compromised. Two-second gap between fail and success. SMS-based MFA did not stop the breach.
162.220.234.41US
18 Mar · 02:39 AM
Attacker accesses mailbox via web browser (Chrome) and reads four mailbox items. Harvesting context on customers, suppliers, and billing patterns.
204.10.160.231US
Phase 3 Eight days of silence — token retention
18–25 Mar 2026
Account is used normally by the legitimate staff member; the attacker is dormant but retains session token access. No automated alerts trigger. Nobody knows the account has been compromised.
203.45.37.126AU
Phase 4 Attack execution — BEC phishing campaign
26 Mar · 03:10 AM
Attacker re-enters and reads dozens of emails and attachments over roughly an hour. Final reconnaissance before execution.
204.10.160.231US
26 Mar · 04:17:38 AM
Hidden inbox rule created — named "." (single dot). Condition: subject contains "Approved". Actions: Mark as Read, Move to Folder. Designed to silently intercept all victim replies.
204.10.160.231US
26 Mar · 04:20–05:08 AM
607 phishing emails sent to 560 unique recipients in 48 minutes. Seven rotating US IP addresses used to evade spam detection. Subject line: "Approved Statement Summary || [Company]-KINDLY REVIEW". Fraudulent PDF attached.
7 × US IPsUS
26 Mar · after each send
Each sent copy deleted from the mailbox immediately. Evidence destruction. Seven deletions captured in audit log.
204.10.160.231US
Phase 5 Detection & containment — same morning
26 Mar · 04:56 AM
First recipient flags suspicious email back to Marlow. Email subject internally: "Potential Hacking". Initial detection.
203.45.37.126AU
26 Mar · 05:42 AM
Internal Marlow staff notified — "Mailbox compromised" alerts sent. Evisent engaged.
203.45.37.126AU
26 Mar · 05:56 AM
Hidden inbox rule disabled. Active sessions revoked. Password reset. Temporary access pass revoked. Containment achieved within 90 minutes of first signal.
121.200.5.105AU
Anatomy of the attack

Three specific techniques worth understanding.

The attack pattern is well-documented in incident response literature and continues to succeed against Australian SMBs. Three details from this specific incident illustrate why.

Technique 1

The hidden inbox rule

The attacker created an Outlook rule named "." — a single dot, designed to be visually invisible in the rule list. Its purpose: silently move any reply containing the word "Approved" out of the inbox so the legitimate account holder would never see victims pushing back. This is a signature BEC technique. Audit logs captured it; no real-time alert flagged it.

Technique 2

Rotating sender IPs

The 607 phishing emails were sent from seven rotating US IP addresses — not one. This evades reputation-based spam filtering. No single sending IP accumulated enough volume to trigger rate-limiting. Microsoft's outbound spam protections were not configured to bulk-block this activity.

Technique 3

Send-and-delete

After each phishing email was sent, the attacker immediately deleted the sent copy from the mailbox. Seven deletions recorded in audit logs. Purpose: when the staff member next logged in, no sent-items evidence would be visible. The attacker bought silent hours before discovery.

The blast radius

Who received the phishing email.

The phishing email reached Marlow's entire external contact network plus its internal staff. Marlow's customer base spans Australian Government, listed corporate retailers and manufacturers, and the healthcare sector — every one of those organisations received a fraudulent payment request that appeared to come from a known business contact.

607

Total emails sent

555 successfully delivered (91.4%). 37 quarantined by recipient security (6.1%). 13 failed delivery (2.1%).

560

Unique recipients

47 internal Marlow staff (Accounts, Sales, Operations, Reception, management, shared mailboxes) plus 513 external customers, suppliers and contacts.

5

Government sectors reached

Federal departments (including foreign affairs and defence portfolios), state government bodies (transport, policing, parliamentary), plus federal and state contracting agencies.

15+

Major listed corporates

ASX-listed retailers, FMCG manufacturers, beverage producers, infrastructure groups, casino operators, and global facilities services firms. Household-name organisations across multiple sectors.

7

Tertiary healthcare networks

Major Victorian and NSW hospital networks, a national cancer treatment centre, a forensic mental health organisation, plus several allied health providers.

555

Notified by Marlow + Evisent

Every successfully-delivered recipient was contacted directly within 24 hours with an explicit "do not pay" notice and incident details — RG-confirmed.

NAMED RECIPIENT ORGANISATIONS ANONYMISED BY CATEGORY TO PROTECT MARLOW'S CLIENT IDENTITY. THE FULL ANONYMISED REPORT IS AVAILABLE ON REQUEST.

Why it happened

Five security gaps that turned a stolen password into an enterprise-wide incident.

A stolen password is bad. A stolen password without compensating controls is catastrophic. Five specific gaps in Marlow's Microsoft 365 environment turned one credential leak into the eight-day, 560-recipient incident above.

Account credentials were stolen — and there were no compensating controls

Critical · Identity

The most likely vectors for the original credential theft are phishing (fake login page), credential stuffing (a password reused from a prior breach), or password spray. None of these is exotic. All can be detected and blocked with the right controls in place.

SMS-based MFA — the weakest acceptable form

Critical · MFA

The compromised account had MFA enabled — but it was SMS-based. SMS MFA is vulnerable to SIM swapping, SS7 protocol interception, and Adversary-in-the-Middle (AiTM) phishing proxies that relay OTP codes in real time. Microsoft Authenticator with number-matching, or FIDO2 hardware keys, would have stopped the attack at the sign-in.

Number matching defeats AiTM relay attacks because it requires the user to confirm a number shown on the login page — a value the attacker cannot know. FIDO2 hardware keys are cryptographically bound to the legitimate login domain, making them immune to phishing and AiTM entirely.

No Conditional Access blocking foreign sign-ins

Critical · Access

Marlow has no legitimate business operations in the United States. A Conditional Access policy blocking sign-ins from outside Australia — or requiring a compliant device — would have stopped the 02:22 AM Nebraska sign-in cold. The policy is included in Business Premium; it had not been configured.

Attacker maintained access for 8 days undetected

Critical · Monitoring

The 18 March sign-in from a Nebraska IP would have been assessed by Microsoft Entra ID Identity Protection as "unfamiliar sign-in properties" and potentially "impossible travel" given the account's typical Australian pattern — generating an alert and requiring step-up authentication or automatic block. Identity Protection was not enabled. No alert was sent. No-one knew.

Mailbox audit gaps + no real-time inbox-rule alerting

Medium · Telemetry

The hidden inbox rule named "." was captured in audit logs. Microsoft recorded the event correctly. But there was no alerting policy configured to notify anyone in real time. A SOC-grade alerting policy on UpdateInboxRules events would have flagged the rule creation at 04:17 AM and could have triggered intervention before the 4:20 AM send window opened.

What it could have been

The fraud succeeded in delivery. It didn't succeed in payment — but it nearly did.

555 phishing emails landed in inboxes including major retailers, government departments, and hospital network finance teams. Each contained a PDF that read like a routine remittance request from a known business contact. Some of those recipients have automated invoice-payment workflows. Some have accounts payable teams processing thousands of supplier invoices per month under time pressure.

The reason no payment was fraudulently induced — confirmed by the client through recipient outreach — is that one alert recipient noticed the email looked slightly off and emailed Marlow at 04:56 AM. Within 90 minutes, Evisent had traced the attack, disabled the hidden rule, revoked all sessions, and Marlow had notified every recipient.

Had detection lagged by even four hours — well within normal helpdesk response time for an SMB on a Wednesday morning — multiple invoice-fraud attempts would have succeeded. The financial loss potential for this scale of BEC, in industry benchmarks, runs from low five figures (single payment) to mid-six figures (multiple invoices in a single fraud window).

How it was contained

The 90-minute response sequence.

Once the first signal arrived at 04:56 AM, Evisent executed the standard BEC incident response playbook. Every action below was completed and confirmed in writing to the client within the same morning.

1. Active sessions revoked

Done · Critical

All active sign-in sessions for the compromised account terminated immediately, forcing the attacker out of any open tokens.

2. Password reset to a strong, unique value

Done · Critical

New password issued through a verified channel directly to the staff member. Temporary Access Pass on the account revoked.

3. Hidden inbox rule disabled and confirmed removed

Done · Critical

The "." rule was disabled at 05:56 AM, then confirmed fully removed in a second pass. Any further attacker replies would now land in the legitimate inbox.

4. All 560 recipients notified within 24 hours

Done · Critical

Direct outreach to every successfully-delivered recipient with an explicit "this email was not from us, do not pay, do not open the attachment" notice. RG-confirmed.

5. Forensic evidence preserved + audit reconstruction

Done · High

Litigation hold placed on the mailbox. Full Unified Audit Log export captured. The complete attack reconstruction (the timeline above) was assembled from this data, in a format suitable for insurance, AFP referral, and any subsequent legal process.

What changed after this incident

Marlow moved to Evisent managed services. Sixteen controls now deployed.

Marlow's leadership concluded — correctly — that incident response alone wasn't the answer. The same security gaps that allowed this attack would allow the next one. Under an Evisent managed services arrangement, sixteen specific security controls aligned to the Australian Signals Directorate Essential Eight (Maturity Level 1) are now deployed, monitored and maintained as an ongoing service — not a one-off project.

Identity

Microsoft Authenticator with number matching for all users. FIDO2 hardware keys for privileged roles. Conditional Access blocking foreign sign-ins and requiring compliant devices. Entra ID Identity Protection with User Risk and Sign-in Risk policies active. Privileged Identity Management — no permanent admin assignments.

Email

Microsoft Defender for Office 365 Plan 1 with Safe Links, Safe Attachments, ZAP. DMARC at p=reject with monthly aggregate report monitoring. Anti-phishing impersonation protection for the MD, CFO and Accounts Manager. Real-time alerting on inbox-rule creation and bulk-send events.

Endpoint

ThreatLocker application allowlisting + ringfencing across all endpoints. Action1 automated patching with monthly compliance reporting. Intune ASR rules blocking Office macro abuse. Huntress EDR with 24/7 human-backed SOC. Microsoft Defender for Endpoint integrated with Conditional Access.

Mobile + People

Microsoft Intune MDM + MAM for all devices accessing M365. Phished.io automated security training with behavioural risk scoring. Quarterly Security Review covering Secure Score, patch compliance, MFA adoption, risky users.

The full sixteen-control framework is delivered as the standard envelope of Evisent's Managed Cybersecurity service and is included in Managed IT engagements from $185/user/month (10-user minimum, from 1 July 2026).

What this means for businesses like Marlow

BEC is the leading cyber fraud vector for Australian SMBs. The defences are straightforward.

Business Email Compromise is now the single most common cyber fraud category targeting Australian SMBs. The defensive playbook isn't exotic — it's a small number of well-understood Microsoft 365 controls operated consistently. The hard part is consistency, not capability.

If you're worried about your posture

Start with the AI Readiness Sprint — same engagement shape as a Microsoft 365 audit, covers identity, MFA, Conditional Access, monitoring posture, and any shadow-AI adoption sitting alongside it.

See the Sprint →

If you want ongoing protection

The sixteen-control framework Marlow now runs is the standard envelope of Evisent's Managed Security service, included in our Managed IT engagement.

See Managed Cybersecurity →

If you're in an active incident

Call us directly. Evisent runs an incident response playbook with a 2-hour critical response SLA. Evidence collection, recipient notification, and containment in one coordinated motion.

Call 1300 384 736 →
The full anonymised report

The complete 20-page anonymised incident report — same level of redaction as this case study — is available on request. Useful if you want to see what a real BEC incident response report looks like end to end, with the full technical timeline, evidence inventory, and remediation roadmap.

Email info@evisent.com.au with "sample BEC report" in the subject line — we respond same business day.

Two ways to make sure this isn't you

Take the quiz to assess your posture. Or call us if it's already happened.

The AI Readiness Quiz takes three minutes and assesses your Microsoft 365 posture across identity, monitoring and governance. Or pick up the phone — direct line to a senior engineer, including for active incidents.

Take the AI Readiness Quiz Or book the Sprint Call · 1300 384 736