Playbook 2
Business email compromise on the office
The quieter precursor: a compromised office mailbox, malicious forwarding rules harvesting wire threads and K-1s, a spoofed custodian notice, or fake “updated wire instructions” mid-deal.
The hard truth
By the time the fraudulent wire request arrives, the attacker has usually been reading your mail for weeks.
The first hour
- 1
Force a password reset and revoke all active sessions on the affected mailbox.
- 2
Audit inbox and forwarding rules — attackers hide auto-forwarding and auto-delete rules to intercept threads.
- 3
Check sent items and deleted items for messages you didn't send.
- 4
Alert anyone the mailbox recently corresponded with about wires or banking details.
- 5
Notify the custodian and any counterparty mid-deal that instructions from you may be compromised.
Stop the next one
- MFA on every office mailbox — hardware keys for the finance team.
- SPF, DKIM, and DMARC configured on all office domains.
- A standing mailbox-rule audit to catch malicious forwarding early.
- A deal-time verification decision tree: “Is this really the fund administrator?”