All client identifiers have been anonymised. Timeframes and technical findings reflect the investigation record.
Containing a Business Email Compromise and Invoice-Fraud Attempt at a South Asian Sustainability Technology Platform in July 2025
At a glance
- Customer: South Asian sustainability technology platform (anonymised)
- Incident type: Business Email Compromise (BEC) with invoice fraud activity
- Environment: Microsoft 365 (Exchange Online / identity logs), user endpoints (triage scope)
- Initial vector: Bonus-themed phishing emails with a QR-code lure leading to credential harvesting
- Threat tradecraft observed: Phishing-as-a-Service (PhaaS) infrastructure; foreign sign-ins; lookalike domain impersonation; malicious inbox rules to hide activity
- Blackpanda services: Microsoft 365 investigation, mailbox compromise scoping, email header analysis, fraud-risk assessment, recommendations for controls and finance workflows
Reference: MITRE ATT&CK Enterprise Matrix
CHALLENGE
A “simple email” that turned into a financial crime attempt
The incident began with a coordinated wave of phishing emails designed to look legitimate and urgent — a lure crafted to pull employees into action before they verify. The emails pushed recipients toward credential harvesting rather than malware, making the attack quieter and easier to miss in endpoint telemetry.
Once credentials were captured, the attackers authenticated into Microsoft 365 mailboxes and inserted themselves into invoicing communications to issue fraudulent payment instructions — meeting the definition of a successful BEC event.
QR-code phishing shifted the risk to personal devices
The phishing email contained a PDF attachment that appeared harmless on its own — but instructed the user to scan an embedded QR code using a mobile device. That scan redirected users to attacker infrastructure hosting spoofed login pages, consistent with modern PhaaS tradecraft.
“Valid credentials” made the attacker look like a normal user
This wasn’t a noisy exploit. Sign-in evidence showed mailbox access originating from overseas locations, and at least two users were assessed as compromised. With no enforced MFA across all users at the time, the attacker’s path required no sophisticated malware — just stolen credentials and persistence inside email workflows.
Visibility gaps raised the stakes for defensible conclusions
A major constraint shaped the investigation: at the time of engagement, Microsoft’s Unified Audit Log was not enabled, removing key records across services and forcing the investigation to rely on what could still be proven (including limited-retention sign-in logs).
In a BEC incident, “we think” is not good enough — finance teams, leadership, and counterparties need a defensible narrative to decide what to stop, what to report, and what to verify.
SOLUTION
1) Rapid scoping of mailbox compromise and fraud pathways
Blackpanda’s incident responders prioritised fast scoping actions that reduce harm immediately:
- Identify compromised identities and suspicious access patterns using available identity telemetry.
- Review email artefacts and headers tied to suspected impersonation and invoice fraud activity.
- Focus on how the attacker redirected communications (reply-path manipulation, hidden routing, and rule-based suppression).
2) Reconstructing the attack chain: lure — harvest — login — invoice manipulation
Blackpanda mapped the progression as a coherent crime narrative:
- Phishing delivery: a coordinated burst of bonus-themed lure emails reached multiple employees.
- Credential harvesting: the PDF + QR code path redirected to spoofed login infrastructure associated with a phishing-as-a-service ecosystem.
- Mailbox compromise: sign-in logs supported the conclusion of mailbox access from overseas locations and compromise of multiple users.
- Invoice fraud phase: attackers registered and used a lookalike domain to impersonate users whose accounts were not directly compromised, and manipulated reply routing to capture ongoing responses in invoice threads.
3) Removing deception mechanisms: malicious inbox rules and reply hijacking
Attackers did not rely on one trick — they layered concealment:
- They used email header manipulation to spoof visible “From” fields and redirect replies to attacker-controlled addresses (a classic invoice-fraud technique).
- They created malicious inbox rules within compromised mailboxes to redirect inbound messages and suppress evidence. Blackpanda identified multiple malicious rules consistent with this concealment pattern.
4) Hardening recommendations tied to how the criminals operated
The recommendations focused on controls that directly break the attacker’s playbook:
People and finance controls
- “Pause — Call — Confirm” for any payment or bank-detail change.
- Targeted awareness for finance and executives.
- Stronger reporting habits (don’t forward suspicious emails).
Process controls
- Dual approval for bank changes and high-value invoices.
- Callback verification using known numbers.
- Cooling-off periods before first payments to changed accounts.
Technology controls (Microsoft 365)
- Enforce phishing-resistant MFA and Conditional Access
- Disable legacy auth.
- Tighten email authentication (SPF/DKIM/DMARC).
- Improve anti-phishing protections.
- Block external auto-forwarding.
- Alert on new inbox rules.
- Restrict OAuth consent and review existing grants.
RESULTS
1) A defensible, evidence-led conclusion: BEC with invoice fraud activity
Blackpanda confirmed the incident pattern as credential harvesting plus mailbox compromise, followed by invoice fraud activity using impersonation tactics and lookalike domain infrastructure — not a malware outbreak. That matters because the correct fix is identity control, email controls, and payment verification — not just endpoint cleanup.
2) Compromise scope clarified despite telemetry constraints
Even with Unified Audit Log limitations, the investigation used the best-available data sources to identify compromised users and suspicious access, and to focus remediation on the highest-risk pathways (mailbox access, rule-based suppression, and reply hijacking).
3) Practical controls delivered for both IT and Finance
The engagement produced a clear remediation plan that aligns technical and business controls:
- IT controls that reduce credential-theft repeatability (MFA, Conditional Access, DMARC, anti-phish).
- Finance-grade process controls that stop invoice fraud even if an attacker gets back in (pause-call-confirm, dual approvals, verified callbacks).
4) A repeatable playbook for the next “quiet” cloud incident
This case reinforces a modern lesson: a cloud email compromise can become a financial crime attempt without ever dropping malware on a laptop. Organizations that treat “email security” as purely technical — without strong payment verification discipline — remain exposed.
FAQ: QR-code phishing, BEC, and invoice fraud
Q1. How did the attackers get access to the mailboxes?
The investigation assessed that credentials were harvested via a phishing campaign and then used to authenticate to Microsoft 365 mailboxes. At least two users were assessed as compromised, and MFA was not enforced for all users at the time, increasing the likelihood of successful access with stolen credentials.
Q2. Why is QR-code phishing so effective?
QR codes push users onto mobile devices where they may not have the same security controls, URL previews, or “muscle memory” for verification. In this incident, the PDF attachment instructed recipients to scan a QR code that redirected to spoofed login infrastructure.
Q3. Did the attackers need malware to pull this off?
The documented tradecraft relies on credential harvesting and mailbox manipulation — not malware — which is why these incidents can evade traditional endpoint-centric detection if identity and email controls are weak.
Q4. What’s the purpose of a lookalike domain in invoice fraud?
A lookalike domain lets criminals impersonate users whose accounts weren’t compromised, create believable threads, and redirect replies to attacker-controlled mailboxes — keeping the legitimate user out of the loop.
Q5. What are the fastest controls to reduce invoice-fraud risk?
Enforce phishing-resistant MFA and Conditional Access, harden SPF/DKIM/DMARC, disable external auto-forwarding, alert on new inbox rules, and enforce out-of-band payment verification for any change in bank details.
What this means for you
BEC is a confidence trick — criminals don’t need to “break” a system if they can borrow your identity. If your organisation runs invoicing and approvals through email, attackers only need one weak link to insert themselves into payments and trusted correspondence.
Blackpanda’s incident responders help teams scope identity compromise quickly, separate proof from assumption, and harden the exact routes criminals used — so the next “urgent email” doesn’t become a financial incident.
