Multi-Actor Intrusion in Business Email Compromise: Two Threat Actors, One Inbox

Business email compromise (BEC) is no longer a niche cybercrime technique. It is one of the most common and damaging forms of intrusion affecting the European mid-market. What makes BEC especially dangerous is not technical sophistication alone. It is the abuse of trust, identity, timing, and familiar business processes.

In a recent Eye Security incident response case, one Microsoft 365 account was compromised not once, but twice, by two unrelated threat actors within the same week. The actors did not appear to coordinate their activity. They simply found and abused the same weak point.

Key takeaways

• Two unrelated threat actors compromised the same Microsoft 365 account within one week.
• Both used adversary-in-the-middle phishing techniques to bypass MFA.
• One actor used the trusted mailbox to send phishing emails and compromise another account.
• A malicious inbox rule helped hide suspicious replies from colleagues.
• Password resets alone are not enough; sessions, rules, authentication methods, and logs must be reviewed.
• Continuous Microsoft 365 monitoring can reduce dwell time from days to minutes.

The case is a clear example of where BEC is heading. Increasingly, threat actors are logging in with legitimate access, bypassing MFA through adversary-in-the-middle phishing kits, reading files and emails, creating inbox rules to hide activity, and using trusted accounts to launch further attacks.

For defenders, the lesson is simple. Identity is now one of the most important security perimeters. And once a threat actor has access to an inbox, every hour matters.

Video 1. Two threat actors, one inbox

Business email compromise in 2026: a dominant threat pattern

In the 2025 incidents analysed by Eye Security, 81% were business email compromise. The same dataset shows that 99%+ of incidents occurred in Microsoft 365 environments, reflecting both Microsoft 365’s dominant role in business operations and its attractiveness to threat actors. The slides also show that 63% of BEC incidents originated from phishing via links, and 79% involved MFA bypass.

The reality is that modern phishing kits are designed to intercept sessions, proxy login flows, and bypass weaker forms of MFA. In other words, threat actors no longer always need a password alone. They can trick users into authenticating through a malicious flow and then capture the session they need to access the account.

This is why BEC is difficult to stop with prevention alone. It does not always look like a classic malware infection. It may look like a user signing in, opening files, reading emails, creating mailbox rules, or sending messages. The activity can appear normal until it is placed in the right context.

What is multi-actor intrusion in business email compromise?

A multi-actor intrusion occurs when more than one threat actor compromises or abuses the same environment, account, or system during the same incident window.

In this case, two separate threat actors compromised the same Microsoft 365 account within days of each other. Threat Actor 1 gained access first. Threat Actor 2 compromised the same account three days later. The actors used similar initial access methods but showed different infrastructure, different phishing kit indicators, and different behaviour after compromise.

This shows how exposed a compromised identity can become once credentials or sessions are captured. The account was not uniquely targeted by one highly motivated adversary. Instead, it appears to have been caught in broader phishing activity, then discovered and abused by different actors.

Many BEC attacks are opportunistic at the start. Threat actors cast a wide net with phishing campaigns, see who falls victim, and then investigate where they have landed. Once inside, they decide how to monetise access.

Monetisation may include invoice fraud, internal phishing, data theft, extortion, credential harvesting, or selling access to another criminal group.

Case timeline: two threat actors, one compromised account

The incident unfolded over just over three weeks.

Image 1. Business email compromise: a timeline of events

On Day 1, the account of User XXX was compromised by Threat Actor 1. The initial access originated from a phishing link. Evidence later showed that the browser history contained the phishing page link, followed by a sign-in from a hosting provider IP address in another country. The user agent and application sign-in patterns were consistent with the Tycoon 2FA phishing kit.

On Day 4, the same account was compromised again, this time by Threat Actor 2. This actor also used a phishing link, but the sign-in came from a residential proxy rather than the same hosting provider infrastructure. The URL and proxy patterns were consistent with the Mamba 2FA phishing kit.

On Day 5, Threat Actor 2 began reading files. This behaviour is typical after account compromise. Once threat actors gain access, they often first try to understand where they are. They look for company context, sensitive documents, financial information, personal data, or anything that could support fraud or extortion.

On Day 9, Threat Actor 1 began reading emails. This suggests that the actor did not immediately exploit the account after compromise. In many BEC cases, there is a gap between initial access and meaningful activity. That gap is dangerous because it can create a false sense of security. Nothing obvious may appear to happen at first, while the account remains available to the threat actor.

On Day 19, Threat Actor 1 sent phishing emails from the compromised account and successfully compromised another account, User YYY. This is one of the most dangerous aspects of BEC. Once a threat actor controls a real mailbox, they can send emails from a trusted internal identity. The message is no longer coming from a lookalike domain or obvious spoof. It is coming from a colleague’s real account.

Also on Day 19, Threat Actor 2 read emails in the same mailbox. By that point, both actors had used the same compromised account for different purposes: one for internal phishing and mailbox manipulation, the other for reconnaissance and data review.

On Day 22, remediation activity began for both affected users. However, Threat Actor 1 was still able to send phishing emails again from one of the compromised accounts. This shows why partial remediation is risky. If the root cause is not fully understood, the threat actor may retain access through an active session, mailbox rule, malicious app consent, or another persistence mechanism.

On Day 23, Threat Actor 2 attempted to sign in again, but the attempt was unsuccessful.

At that stage, the organisation realised the incident was beyond internal handling and engaged Eye Security for incident response.

How the investigation confirmed two separate threat actors

Eye Security collected and correlated several sources of evidence during the investigation. These included Unified Audit Logging, MessageTrace data, browser history, and the actual phishing emails involved in the incident. The slide deck identifies the key finding clearly: Account XXX was compromised twice using adversary-in-the-middle (AitM) phishing.

The evidence pointed to two separate actors because the infrastructure, timing, and phishing kit indicators differed.

Threat Actor 1 used a phishing link, followed by a sign-in from a hosting provider IP address in a foreign country. The sign-in activity involved an application and user agent pattern typical of the Tycoon 2FA phishing kit.

Threat Actor 2 also used a phishing link, but signed in from a residential proxy. The sign-in pattern and URL structure were typical of the Mamba 2FA phishing kit.

This distinction is important. If defenders treat the incident as a single compromise by a single actor, they may miss parts of the activity. They may remediate one access path but overlook another. They may reset credentials but fail to revoke sessions. They may remove one inbox rule but miss another persistence mechanism.

In modern BEC investigations, it is not enough to ask: “Was this account compromised?”

The better question is: “How many times, by whom, through which method, and what did each actor do afterwards?”

Why inbox rules are a major BEC warning sign

Video 2. Inbox rules: a BEC giveaway

Inbox rules are legitimate features in Microsoft Outlook and Microsoft 365. Users create them to move emails into folders, mark certain messages as read, forward emails, or organise inbox activity.

Threat actors abuse the same feature for stealth.

In this case, Threat Actor 1 created a rule that applied to messages where the sender address contained an “@” symbol. Because every email address contains an “@” symbol, the rule effectively applied to all incoming emails. The rule moved messages to another folder and marked them as read.

The result was simple but effective. The legitimate user stopped seeing incoming messages. If colleagues replied to suspicious phishing emails and asked, “Did you send this?”, those replies were hidden before the user noticed them.

This is a classic BEC technique. It helps threat actors suppress warnings, hide bounce-backs, intercept business conversations, and maintain control of the mailbox for longer.

For defenders, new or modified inbox rules should be treated as a high-value detection signal, especially when they involve moving messages, marking messages as read, deleting messages, forwarding externally, or filtering broad patterns.

Why BEC is so effective: threat actors abuse trust, not just technology

Business email compromise works because businesses rely on trust. Employees trust familiar senders. Finance teams trust known suppliers. Colleagues trust internal accounts. Customers trust existing relationships.

In this case, the threat actor did not need to spoof a colleague. They used a real account. They did not need to invent an entirely new business context. They could read emails and files to understand the organisation. They did not need malware to begin the attack. They used identity, sessions, and Microsoft 365 access.

This is why BEC often becomes a business process problem as much as a security problem. The threat actor may target payment workflows, invoice approvals, document sharing, HR conversations, or supplier communications. The technical compromise is only the beginning. The real impact often comes from what the threat actor does with the trust attached to the account.

Why detection speed defines the impact of BEC

Video 3. Detection speed limits the impact

The longer a threat actor remains inside a mailbox, the more context they can gather and the more convincing they become.

Eye Security’s data shows the difference continuous monitoring can make. In MDR environments, the median dwell time was 19 minutes. Without MDR, the median dwell time was 18 days. 

In 19 minutes, a defender may be able to detect suspicious sign-in behaviour, revoke sessions, reset credentials, contain the account, and prevent further phishing.

In 18 days, a threat actor can read emails, understand business processes, create inbox rules, compromise additional accounts, intercept payment conversations, steal sensitive information, and prepare fraud attempts. In BEC, speed is a business risk control.

What organisations should do to reduce BEC risk

BEC cannot be solved by one control. The most resilient organisations combine identity hardening, user awareness, forensic readiness, and continuous monitoring.

Enforce MFA across all accounts

MFA should be enforced for all users, not only administrators. Even though adversary-in-the-middle phishing can bypass some MFA methods, MFA still blocks many basic credential-based attacks.

For high-privilege users, organisations should use phishing-resistant MFA wherever possible. This includes FIDO2 security keys, passkeys, or other strong authentication methods that are resistant to session interception.

Organisations should avoid relying on SMS or email-based MFA for sensitive accounts. These methods are better than no MFA, but they are not sufficient for high-risk users or administrator access.

Use Conditional Access in Microsoft Entra ID

Conditional Access is one of the most important controls for reducing identity-based risk in Microsoft 365 environments.

Organisations can use Conditional Access to restrict access based on location, device compliance, risk signals, application, user group, or authentication strength. For example, a company may block sign-ins from countries where it has no employees or business activity. It may require compliant, Intune-managed devices. It may block unknown or high-risk sign-in locations.

Conditional Access should also be used to enforce MFA centrally, rather than relying on per-user MFA settings.

Disable legacy authentication

Legacy authentication can bypass modern MFA protections and is often abused. If legacy protocols remain enabled, threat actors may find routes into accounts that do not trigger the same security controls as modern authentication.

Disabling legacy authentication at the tenant level reduces the attack surface and removes a common path for account abuse.

Improve forensic readiness

When BEC happens, logs are essential. Without logs, responders may not be able to determine when the compromise started, which account was accessed, what the threat actor viewed, whether data was exfiltrated, or whether additional users were affected.

Organisations should enable Unified Audit Logging and retain sign-in and audit logs for at least 90 days. For higher-risk environments, longer retention may be appropriate. A cloud-native SIEM can help centralise, retain, and analyse this data.

Forensic readiness is often overlooked until an incident happens. By then, missing logs can slow down response and increase uncertainty.

Monitor Microsoft 365 continuously

BEC often happens outside office hours, from unusual locations, and through behaviour that may look legitimate in isolation. A suspicious sign-in at 03:00 on a Saturday may not be noticed by an internal team until Monday. By then, the threat actor may have already read emails, created inbox rules, and sent phishing messages.

Continuous monitoring helps detect suspicious sign-ins, unusual mailbox activity, suspicious inbox rule creation, impossible travel, risky sessions, and abnormal access patterns.

Train users to recognise phishing attempts

Most BEC incidents begin with a phishing link. Training employees to inspect URLs, question unexpected login prompts, and report suspicious emails can reduce click rates and shorten detection time.

Awareness training should not be treated as a blame exercise. Anyone can click a convincing phishing link. The goal is to build a culture where users pause, verify, and report quickly when something feels wrong.

Watch for suspicious inbox rules

New inbox rules should be monitored, especially rules that:

• move incoming emails to hidden folders
• mark messages as read
• delete messages automatically
• forward messages externally
• apply to broad sender patterns
• suppress replies or delivery notifications

These rules are often used to hide threat actor activity and delay discovery.

Revoke sessions during remediation

Password resets alone may not be enough if threat actors have active sessions or stolen tokens. Remediation should include session revocation, MFA reset where needed, review of registered devices and authentication methods, removal of malicious inbox rules, and investigation of app consent or OAuth abuse.

This is one of the most common reasons BEC remediation fails. The organisation changes a password but does not fully remove the threat actor's active access.

Conclusion: BEC is human-driven, identity-based, and time-sensitive

Business email compromise succeeds because threat actors understand how organisations work. They know that employees trust colleagues. They know that finance teams move quickly. They know that inboxes contain context. They know that MFA is often implemented in ways that can be bypassed. And they know that many organisations do not monitor Microsoft 365 continuously.

The answer is not to abandon prevention. But organisations also need visibility. They need logs. They need alerting. They need fast investigation. They need people who understand what suspicious identity behaviour looks like. And they need the ability to contain compromised accounts before one inbox becomes a wider business incident.

In BEC, the difference between minutes and days can be the difference between a contained account compromise and a serious financial or operational incident.

FAQ: Multi-Actor Intrusion and Business Email Compromise

What is business email compromise (BEC)?

Business email compromise, or BEC, is a type of cyberattack where threat actors gain access to or impersonate a business email account to commit fraud, steal information, redirect payments, or compromise additional users.

Unlike many malware-based attacks, BEC often relies on trust and legitimate access. Threat actors may use phishing links, stolen credentials, adversary-in-the-middle phishing kits, session hijacking, or token theft to access an account. Once inside, they can read emails, monitor conversations, create inbox rules, and send convincing messages from a trusted identity.

What is multi-actor intrusion in BEC?

Multi-actor intrusion in BEC occurs when more than one threat actor compromises or abuses the same account or environment during the same incident window.

In the case discussed by Eye Security, two separate threat actors compromised the same Microsoft 365 account within one week. The actors were not working together. They used different infrastructure and phishing kit indicators, but both gained access to the same mailbox.

This shows that once an account is exposed through phishing or session theft, it may be abused by more than one criminal actor.

How can two threat actors compromise the same email account?

Two threat actors can compromise the same account if the user falls victim to more than one phishing campaign, if captured credentials or sessions are reused, or if access is sold or shared in criminal ecosystems.

In opportunistic BEC campaigns, threat actors often send phishing links at scale. If the same user interacts with multiple malicious links or if account access remains unresolved after the first compromise, different actors may gain access independently.

Why is Microsoft 365 often targeted in BEC attacks?

Microsoft 365 is widely used by organisations across Europe and globally. Because so many businesses rely on Microsoft 365 for email, files, collaboration, identity, and administration, it is a high-value target for threat actors.

A compromised Microsoft 365 account can give threat actors access to email conversations, SharePoint files, OneDrive documents, Teams context, contacts, calendars, and business workflows. That makes it useful for fraud, reconnaissance, internal phishing, and data theft.

How does adversary-in-the-middle phishing bypass MFA?

Adversary-in-the-middle phishing works by proxying the legitimate login process. The victim believes they are signing in to a real Microsoft service. They enter credentials and complete MFA. The threat actor captures the authenticated session or token created during that process.

This allows the threat actor to access the account without needing to defeat MFA directly. The user completed MFA, but the threat actor stole the session that resulted from it.

Does MFA still protect against BEC?

Yes, MFA is still an essential security control. It blocks many basic credential attacks and should be enforced across all accounts.

However, not all MFA methods provide the same level of protection. SMS, email-based MFA, and simple push approvals are more vulnerable to phishing and social engineering. High-privilege accounts should use phishing-resistant MFA, such as FIDO2 security keys or passkeys.

MFA should be combined with Conditional Access, session monitoring, log retention, and continuous detection.

What are common signs of business email compromise (BEC)?

Common signs of BEC include suspicious sign-ins, unusual locations, impossible travel alerts, newly created inbox rules, unexpected email forwarding, messages marked as read without user action, unexplained sent emails, deleted messages, unusual file access, and reports from colleagues or customers receiving strange emails.

Other warning signs include changes to MFA methods, new devices, abnormal OAuth app consent, or login activity from hosting providers, VPNs, proxies, or countries where the organisation does not operate.

Why do threat actors create inbox rules during BEC attacks?

Threat actors create inbox rules to hide their activity. A malicious rule can move emails to another folder, mark messages as read, delete warnings, forward messages externally, or suppress replies from colleagues.

In the Eye Security case, an inbox rule was created that applied broadly to incoming messages and marked them as read. This helped hide replies from colleagues who questioned suspicious emails sent from the compromised account.

Why is phishing via links still effective?

Phishing via links remains effective because it exploits familiar user behaviour. Employees are used to clicking links to sign in, open documents, approve requests, or access shared files.

Modern phishing pages can be highly convincing. Some use adversary-in-the-middle techniques to proxy real login flows and bypass MFA. This makes it difficult for users to distinguish between a legitimate authentication prompt and a malicious one.

What should an organisation do after a Microsoft 365 account is compromised?

After a Microsoft 365 account compromise, the organisation should immediately contain the account, revoke active sessions, reset credentials, review MFA methods, remove malicious inbox rules, check for suspicious forwarding, review sign-in logs, examine mailbox activity, and determine whether other accounts were affected.

It is also important to preserve logs and evidence before making unnecessary changes. If the threat actor sent phishing emails internally or externally, the organisation should identify recipients and assess whether additional accounts were compromised.

Is resetting the password enough after BEC?

No. Resetting the password is not always enough.

If threat actors have active sessions, stolen tokens, malicious inbox rules, added authentication methods, or OAuth access, they may retain access even after a password reset. Proper remediation should include session revocation, review of authentication methods, mailbox rule review, device review, and log analysis.

How long can threat actors remain undetected in BEC cases?

Threat actors can remain undetected for days or weeks if there is no continuous monitoring. In Eye Security’s BEC data, the median dwell time was 19 minutes in MDR environments compared with 18 days without MDR.

This difference shows why rapid detection and response are critical. The longer threat actors remain inside a mailbox, the more context they can gather and the more damage they can cause.

What logs are important for investigating BEC?

Important logs for BEC investigations include Microsoft 365 Unified Audit Logs, Entra ID sign-in logs, MessageTrace data, mailbox audit logs, inbox rule changes, file access logs, browser history, and the original phishing emails.

These sources help responders understand how the compromise happened, which accounts were accessed, what the threat actor did, whether emails were sent, whether files were read, and whether other users were affected.

How long should Microsoft 365 logs be retained?

Organisations should retain sign-in and audit logs for at least 90 days. Longer retention is recommended for organisations with higher risk exposure, regulatory obligations, or limited internal detection capability.

BEC investigations often require historical data to identify the initial access point and reconstruct threat actor activity. If logs are unavailable, the investigation may be slower and less conclusive.

What is the role of Conditional Access in preventing BEC?

Conditional Access helps reduce BEC risk by limiting when, where, and how users can sign in. Organisations can require MFA, block high-risk locations, restrict access to compliant devices, enforce authentication strength, or prevent access from countries where the organisation does not operate.

Conditional Access is especially valuable because it adds context to authentication. It does not simply ask whether the password is correct. It asks whether the sign-in makes sense.

Why should legacy authentication be disabled?

Legacy authentication should be disabled because it can bypass modern security controls, including MFA. Threat actors often look for legacy protocols because they may allow access without triggering stronger authentication requirements.

Disabling legacy authentication at the tenant level reduces the risk of account compromise and removes a common route for identity abuse.

How can organisations reduce the risk of BEC?

Organisations can reduce BEC risk by enforcing MFA, using phishing-resistant MFA for privileged accounts, implementing Conditional Access, disabling legacy authentication, training users to recognise phishing, monitoring Microsoft 365 activity continuously, retaining logs, and preparing an incident response process.

The most important principle is to combine prevention with detection. Some phishing attempts will succeed. The goal is to detect and contain them before they become business-impacting incidents.

Can Eye Security help investigate BEC incidents?

Yes. Eye Security helps organisations investigate and respond to Business Email Compromise incidents. This can include evidence collection, Microsoft 365 log analysis, phishing investigation, account containment, inbox rule review, session revocation guidance, identification of affected users, and recommendations to reduce future risk.

Eye Security’s MDR service also provides continuous monitoring and expert-led response to detect suspicious activity earlier and reduce threat actor dwell time.

What is the most important lesson from this multi-actor BEC case?

The most important lesson is that a compromised inbox can become a shared opportunity for multiple threat actors. Once identity is compromised, the threat actor does not need malware to cause damage. They can use legitimate access, trusted workflows, and business context.

That is why organisations need to protect identity, monitor Microsoft 365 continuously, retain the right logs, and respond quickly when suspicious activity appears.