When the CFO's email becomes a weapon against the company itself
Picture this scenario: a company's CFO receives an email at 4:47 PM on a Friday from the CEO requesting an urgent wire transfer of USD 127,000 to an international vendor. The email comes from the correct domain, the signature is identical, and the tone matches the sender. She executes the transfer. On Monday, the CEO has no idea what she's talking about. The money has already passed through three accounts across different jurisdictions and vanished.
This type of attack has a name: BEC, short for Business Email Compromise. According to the FBI's Internet Crime Complaint Center (IC3), the 2024 report shows that BEC fraud generated losses exceeding USD 2.9 billion in the United States alone in a single year, making it the cybercrime category with the highest cumulative financial impact. We are not talking about sophisticated viruses or cinematic-style breaches. We are talking about a criminal who understands how your company operates, quietly gains access to your email environment, and uses internal trust as an attack vector.
The figure that should keep any executive up at night is this: according to the Microsoft Digital Defense Report 2024, approximately 78% of successful BEC attacks analyzed by the company's threat intelligence team exploited default or neglected configurations in Microsoft 365 tenants — the platform that centralizes identity, email, documents, and collaboration for millions of organizations. The platform most likely powering your company's operations right now.
The problem is not the platform. It's what no one configured on it.
Microsoft 365 is, without question, one of the most robust productivity platforms on the market. Its ecosystem offers advanced layers of protection, artificial intelligence for threat detection, and sophisticated access control mechanisms. The problem is that most of these layers need to be activated, configured, and monitored. And in the majority of corporate tenants, that simply does not happen.
A tenant — the centralized environment an organization uses within Microsoft 365 — is created with default settings designed to facilitate adoption, not to withstand targeted attacks. Email forwarding rules can be created by any user without approval. Advanced anti-phishing policies exist but come disabled. Audit logs that would record suspicious activity are frequently configured with minimal retention periods. It's like installing a state-of-the-art alarm system in a corporate building and leaving every zone disarmed.
Attackers know this. A modern BEC attack rarely begins with a fake email coming from outside. It starts with the silent compromise of a real account within the tenant. The criminal obtains credentials through targeted phishing, purchases leaked credentials on underground markets, or — increasingly — steals session tokens. This last method is particularly dangerous because it bypasses MFA (multi-factor authentication), the layer many companies believe is sufficient to protect them. With a valid session token, the attacker accesses the environment as if they were the legitimate user, without needing to enter a password or verification code.
Once inside the tenant, the intruder creates hidden forwarding rules that silently copy emails to an external account. They study internal communications for days or weeks: who approves payments, who talks to whom, what tone the messages use. When they finally act, the fraudulent request is nearly indistinguishable from a legitimate communication. According to Gartner's 2024 Market Guide for Email Security, BEC attacks are particularly effective because they exploit interpersonal trust, not software vulnerabilities — which makes traditional email filters insufficient.
The average cost of a successful BEC incident is around USD 125,000, according to consolidated IC3 data. But the real impact goes far beyond the diverted funds. There are costs for forensic investigation, legal fees, notification to partners and clients, potential regulatory exposure, and — perhaps the hardest to recover from — reputational damage. A company that loses money to internal fraud projects weakness in its controls, something that affects negotiations, partnerships, and even valuation.
What makes this threat even more insidious is its scalability. With generative artificial intelligence tools, attackers can produce convincing emails in any language, mimic writing patterns, and even simulate prior conversation threads. The FBI reported a 37% increase in recorded BEC attempts between 2022 and 2024. This is not a passing trend. It is a growing criminal industry.
Practical paths forward: securing the tenant as a business decision
The first mindset shift required is understanding that tenant security is not an IT task. It is a decision to protect cash flow. Just as a company audits financial statements and reviews high-risk contracts, the environment that processes 100% of executive communications requires periodic review, continuous monitoring, and clear governance. The question is not "did our IT team set up email?". It is "who is watching the environment where we approve payments, negotiate contracts, and exchange strategic information?".
The second point is recognizing that effective protection requires coordinated layers, not isolated tools. Conditional access policies that evaluate context — device, location, login risk level — before granting access. Advanced anti-phishing protection that analyzes links and attachments in real time, in an isolated environment, before delivering them to the user. Data loss prevention policies that stop sensitive information from leaking via email. Continuous monitoring of forwarding rules, permission changes, and anomalous account behavior. Each layer alone is insufficient. Coordinated, they form a defensive ecosystem that multiplies the difficulty for the attacker.
The third path is partnering with a managed services provider that operates with security operations center (SOC) and network operations center (NOC) capabilities. Most mid-sized companies do not have — and do not need to have — an in-house security team with 24-hour coverage and expertise in identity threats. But they do need someone who does. An MSP with tenant security maturity monitors alerts, investigates anomalies, responds to incidents, and — most importantly — proactively reviews the configurations attackers exploit. It is enterprise-grade backup accessible as a service, with predictable costs and no surprises.
The fourth point, frequently overlooked, is simulation and training. Employees who recognize social engineering attempts are the last line of defense when technical layers fail. Phishing simulation programs with engagement metrics and continuous reinforcement reduce the rate of clicks on malicious emails by up to 72%, according to data referenced by Gartner.
5 questions every executive should ask about their Microsoft 365 tenant
1. Which default M365 tenant settings leave my company exposed to BEC attacks without anyone noticing? 2. Why is MFA alone no longer enough, and what is session token theft? 3. How does an MSP monitor forwarding rules, suspicious logins, and permission changes in the tenant in real time? 4. What is the real cost of a successful BEC attack on mid-sized companies, beyond the financial amount diverted? 5. Which protection layers need to be active in the tenant, and why do most companies not use them?
1. Which default M365 tenant settings leave my company exposed to BEC attacks without anyone noticing?
The tenant is born optimized for quick adoption, not maximum security. This means that, by default, any user can create automatic email forwarding rules to external addresses — something an attacker exploits immediately after compromising an account. Anti-phishing policies that use artificial intelligence to detect executive impersonation attempts exist within the platform, but must be manually activated and calibrated. Unified audit logs — essential for investigating incidents — are frequently set to a retention period of only 90 days, when they should cover at least one year.
Furthermore, many organizations do not restrict the registration of third-party applications within the tenant, allowing malicious apps to request read permissions for email and directory data. An attacker does not need the CEO's password if they can get a fraudulent app authorized to read their inbox. The question the executive should ask their IT team or partner is straightforward: "Show me the list of default configurations that were changed in our tenant over the past 12 months and explain why each one was modified." If there is no list, the tenant is most likely running on default settings. And default settings are the settings attackers know by heart.
2. Why is MFA alone no longer enough, and what is session token theft?
MFA was, for years, the number one security recommendation for any corporate environment. And it remains essential. But attackers have evolved. The technique known as session token theft — or session token hijacking — works as follows: the criminal creates a fake login page that perfectly replicates the authentication portal. When the user enters their credentials and completes the MFA challenge, the intermediary page captures the session token generated — that "digital stamp" that proves to the system the user has already authenticated. With that token in hand, the attacker accesses the environment as if they were the user, without needing to repeat the login process.
According to the Microsoft Digital Defense Report 2024, session token theft attacks grew significantly and represent one of the primary identity threats in cloud-based corporate environments. Defending against this vector requires conditional access policies that evaluate additional signals — such as device compliance, geographic location, real-time calculated risk level, and periodic session revalidation. Without these policies, MFA is a door with two locks but with the side window left open.
3. How does an MSP monitor forwarding rules, suspicious logins, and permission changes in the tenant in real time?
A managed services provider with mature security capabilities operates a SOC that ingests and correlates tenant events in real time. This includes the creation or modification of email forwarding rules, logins from unusual locations or unmanaged devices, changes to mailbox permissions (access delegation), registration of new applications in the directory, and changes to security groups or administrative roles.
Each of these events, in isolation, may be legitimate. The intelligence lies in the correlation. A login from a new location immediately followed by the creation of a hidden forwarding rule to an external address is a classic BEC pattern. The SOC detects this pattern, isolates the account within minutes, and initiates the investigation and remediation process before any financial damage occurs. For the executive, the relevant question is not about the technology itself, but about response time: "If an executive account is compromised at 2 AM on a Saturday, how many minutes will it take for someone to act?" If the answer is "Monday morning, when IT gets in," the level of exposure is critical.
4. What is the real cost of a successful BEC attack on mid-sized companies, beyond the financial amount diverted?
The average loss of USD 125,000 per incident reported by the IC3 is only the direct financial loss. The next layer of costs involves digital forensic investigation to understand the scope of the breach, determine what data was accessed, and ensure the attacker does not maintain persistent access. This investigation can cost between USD 30,000 and USD 100,000 depending on complexity. Then come legal costs: notifying business partners whose information may have been exposed, reviewing contractual confidentiality obligations, and — in regulated industries — reporting to regulatory authorities.
But the most underestimated cost is operational and reputational. The company that has suffered a BEC attack must revise financial approval processes, retrain teams, potentially replace compromised communication systems, and rebuild trust with clients and vendors who become aware of the incident. According to Gartner, organizations that suffer corporate email breaches experience, on average, sales cycles that are 23% longer in the 12 months following the incident, because prospects and clients begin questioning the maturity of internal controls. The right question is not "how much does it cost to protect ourselves?" but "how much does it cost not to be protected?"
5. Which protection layers need to be active in the tenant, and why do most companies not use them?
The essential layers include: advanced threat protection for email, which performs link and attachment analysis in an isolated environment (sandboxing) before delivery to the user; anti-phishing policies with executive and partner domain impersonation detection; risk-based conditional access, which evaluates each login attempt against multiple contextual signals; data loss prevention (DLP) that blocks unauthorized sharing of sensitive information; and unified auditing with extended retention to support investigations.
The reason most companies do not activate these layers is threefold. First, many of these features are only available in higher-tier licensing plans, and the investment decision is frequently evaluated as an "IT cost" rather than a "revenue protection cost." Second, configuring and fine-tuning these layers requires expertise that generalist IT teams rarely possess. Third, even activated layers lose effectiveness without continuous monitoring, since unanswered alerts are useless alerts. This is precisely where partnering with an MSP with SOC capabilities transforms the equation: the cost of activating, configuring, and monitoring all layers as a managed service is a fraction of the cost of a single BEC incident.
Securing the tenant where your company communicates, collaborates, and makes financial decisions is not a technical adjustment. It is operational hardening. If this article raised even one question about your current environment's configuration, now is the right time to seek answers. Zamak Technologies offers a Strategic IT Assessment — no commitment required — to evaluate your tenant's security posture and identify the gaps attackers exploit. Request yours here.