The Anatomy of a Security Incident: Preventing Business Email Compromise at Medical Teams International

Executive Context 

What initially appeared to be a routine phishing event was reclassified as a business email compromise after deeper analysis revealed persistent access and targeted monitoring of financial communications. Accounts tied to finance operations and executive leadership were accessed in ways that suggested deliberate positioning for financial fraud. While no fraudulent transactions had occurred, the risk was immediate. 

Monitoring surfaced the first signals, but alignment between Medical Teams International and eGroup changed the outcome. Once activity no longer matched expected user behavior, both teams moved quickly into a shared investigation rather than treating the event as a standard cleanup. 

What Triggered Deeper Investigation 

The initial alert originated from Microsoft Defender for Office 365 and reflected credential exposure from a phishing email. On its own, this was not unusual. What changed the assessment was subsequent mailbox behavior that did not align with normal usage. 

Inbox rules were identified that intercepted banking-related communications and suppressed visibility by moving messages into rarely used folders. Identical rule logic appeared across multiple finance adjacent mailboxes, a high confidence indicator of business email compromise. Microsoft Defender telemetry and Microsoft Entra ID sign-in data also showed access occurring at unusual hours and from locations inconsistent with typical user behavior. 

Assessment and Response 

As the scope became clearer, the activity aligned with known BEC techniques designed to remain hidden until a financial action could be initiated. The behavior reflected patience and intent, not opportunism. At that point, both teams recognized the situation required sustained engagement and tight coordination. 

Medical Teams and eGroup worked as a single unit throughout the response. The eGroup team leveraged Microsoft Defender telemetry, Microsoft Entra ID sign-in data, and Microsoft Sentinel analytics, supported by the ThreatDefender MXDR service, to provide continuous monitoring and investigative support while context remained actionable. 

Containment and Hardening 

Malicious inbox rules and unauthorized mailbox delegations were removed, impacted accounts disabled, and active sessions revoked to disrupt persistence. A forensic lookback using audit logs, mailbox access records, and Sentinel queries confirmed the attacker-maintained access over multiple business days, allowing time to observe sensitive banking activity without executing fraud. 

Controls were strengthened based on how the attacker operated. Additional Sentinel alerting was implemented for mailbox rules, delegation changes, and high-risk sign-ins, and conditional access policies were tightened for finance and executive roles. 

Outcome 

The attacker was removed before any fraudulent transactions occurred, and no financial loss was incurred. Leadership regained confidence in the organization’s ability to understand the incident and respond decisively. 

From Medical Teams International’s perspective, the experience was never transactional. 

“I really felt like I was working with a partner, not a service. The team went above and beyond, and their efforts were tireless as we worked to both mitigate and secure our environment.” 
— Jeremy Smith 

Key Takeaway 

Early detection mattered, but early alignment prevented this from becoming a financial incident. Microsoft Defender and Entra ID surfaced the signals. Continuous monitoring, collaborative investigation, and disciplined response turned those signals into prevention. 

Strengthen Your Microsoft Security Response

Turn Microsoft 365 security signals into faster investigation, containment, and protection against business email compromise.