About the Client

Our client is a UK-based clothing manufacturer supplying products to high-street retailers across Europe. With 70 employees and a turnover of £12M, the business runs most of its operations via Microsoft 365, including email, invoicing, and order management. Their lean finance team had not previously experienced a cyber incident. (Client name protected for confidentiality.)

The Challenge: Payment Interception via Email Compromise

The Initial Discovery:
The client contacted Foregenix after noticing that a key supplier had not received a payment, despite confirmation that the funds had been transferred days earlier. Further investigation revealed the payment had been diverted to a bank account controlled by a threat actor.

The Attack:
A threat actor had gained covert access to a finance team mailbox hosted in Microsoft 365. By setting up hidden forwarding rules and monitoring email threads, the attacker was able to inject a spoofed invoice into a legitimate supplier conversation — leading to a fraudulent payment of £48,000.

The Business Risks:

• Financial loss due to the unrecoverable payment
• Breakdown in supplier trust
• Reputational risk within a tight-knit industry
• Regulatory exposure if internal security weaknesses were found to be negligent
• Risk of wider compromise if other mailboxes were accessed

• Risk of reputational damage and increased chargebacks if breach was confirmed

The Solution: Incident Response & Email Threat Investigation

• Step 1: Emergency Call & Triage

  The client contacted Foregenix via our incident response hotline. The Cyber Defence Team immediately began remote triage to assess scope and potential ongoing access.

• Step 2: Threat Containment & Access Review

  We worked with the client’s IT admin to disable the affected Microsoft 365 account, reset credentials, and review recent login activity. We identified successful logins from a Nigerian IP range with no MFA in place.

• Step 3: Mailbox Forensics

  Using our Microsoft 365 forensic toolkit, we discovered:

  • Forwarding rules to an external Gmail address
  • Inbox filtering to hide legitimate supplier replies
  • Evidence the attacker had been present for at least 10 days, carefully watching conversations

  No malware on endpoints, confirming this was a credential-based compromise.

• Step 4: Lateral Movement Checks

  We conducted a review of audit logs across all user accounts to confirm no other mailboxes had been accessed or modified.

• Step 5: Remediation & Policy Hardening

  Foregenix helped the client:

  • Enable multi-factor authentication (MFA) for all users

  • Audit and restrict external email forwarding

  • Implement Microsoft Defender for Office 365 to monitor suspicious behaviours

  • Update their finance process to verify all bank detail changes via out-of-band communication.

   

The Results: Threat Neutralised & Resilience Strengthened

• Threat Actor Removed: Malicious access disabled, inbox rules cleaned, login sessions terminated

• MFA Enabled: Across all accounts within 24 hours

• Mailbox Audit Completed: Confirmed no further compromise

• Improved Process Controls:
  • Bank detail changes now require dual-approval
  • Payment verification includes voice confirmation
• Staff Awareness Increased: Short training delivered to finance and sales teams
• Client Reassurance Delivered: Supplier relationship preserved through transparency and response speed

Why Foregenix Cyber Defence Team

The client chose Foregenix due to our proven expertise in Microsoft 365 incident response and business email compromise investigations. Our Cyber Defence Team’s speed, clarity, and tailored advice gave the client peace of mind and helped them recover from a significant financial and operational shock.