Business Email Compromise: £340k Fraudulent Transfer Investigation

Situation: A professional services firm discovered a £340,000 payment had been made to a fraudulent bank account following a business email compromise. The finance director’s Microsoft 365 account had been compromised six weeks earlier. The attacker had been silently monitoring email traffic and intercepted a legitimate supplier payment instruction, substituting their own account details.

Investigation: Binary Response conducted a full M365 forensic investigation. We reconstructed the complete attacker timeline — from initial account compromise via a consent phishing email, through six weeks of surveillance, to the payment interception. We identified that two additional senior accounts had been compromised and were still under attacker control. We also identified a forwarding rule silently copying all emails to an external address.

Outcome: Evidence package submitted to Action Fraud and the firm’s bank within 48 hours. £210,000 was recovered via the banking sector fraud recall process. The forensic evidence supported a subsequent civil claim. ICO notification filed. Full post-incident hardening recommendations implemented.

Discuss Your Situation

Every engagement is different. Contact us to discuss your specific situation — whether you're dealing with an active incident or planning ahead.