Business email compromise happens when criminals trick or hijack real business email accounts to redirect payments or steal sensitive information. To stop business email compromise in UK SMEs using Microsoft 365, you need to lock down how people sign in, harden mailbox security and tighten how money-related requests are handled, not just add another security product. With a small set of clear changes, you can make it much harder for attackers to tamper with inboxes, rules and payment details.
What business email compromise actually is
Business email compromise (BEC) is a targeted form of fraud where attackers use realistic-looking emails to convince staff to send money or data they should not. Sometimes they directly compromise a mailbox. Sometimes they register lookalike domains or use display name tricks so messages appear to come from a director, supplier or colleague.
Unlike bulk phishing, BEC attacks are usually low volume and well prepared. Criminals often study your website, social media and email patterns first so their requests feel believable. That is why basic spam filters or antivirus rarely catch them on their own.
The financial impact can be severe. The FBI’s Internet Crime Complaint Center has repeatedly reported BEC as one of the most financially damaging types of online fraud, and for a smaller business a single successful payment diversion can be enough to cause real disruption.
Why Microsoft 365 mailboxes are such a common target
Many UK SMEs now run most of their day-to-day work through Microsoft 365: email, shared files, calendars, meetings and collaboration. That makes Microsoft 365 accounts attractive to attackers. If they can sign in as one of your users, they gain:
- access to invoices, quotes and banking details
- visibility of who approves payments and when
- the ability to send believable messages from real accounts
- the option to set rules that hide their activity from the victim
Microsoft 365 also gives you strong security controls when they are enabled and tuned properly. For many SMEs, the issue is not whether protection exists, but whether it has been configured to match how the organisation actually works. If you want help tightening those settings without breaking day-to-day workflows, Unite supports secure Microsoft tenancy set-up and ongoing management through their Microsoft 365 services.
Start with identity: lock down how people sign in
Nearly every BEC story starts with an attacker gaining control of an account, or creating something that looks close enough. The first priority is to make it much harder for someone to sign in as your staff.
Require multi-factor authentication everywhere
Multi-factor authentication (MFA) adds a second step to sign in, such as an app prompt or hardware token. That way, stolen passwords alone are not enough.
In Microsoft 365 you can:
- enforce MFA for all users, not just admins
- use the Microsoft Authenticator app or other supported methods
- apply sign-in policies that reduce risk, especially for higher-risk logins
If some users are still not on MFA, consider them high risk and move them to the top of the queue. Many mailbox compromises begin with one unprotected account. If you need an internal explainer to help staff understand the ‘why’, Unite’s short guide on MFA can be useful.
Rolling out MFA across your organisation also brings you closer to Cyber Essentials certification, which formalises baseline controls around access management, secure configuration and malware protection. Many SMEs find that working towards Cyber Essentials gives them a practical framework for making these security improvements stick.
Turn off legacy and basic authentication
Older email connection methods, often called legacy or basic authentication, either do not support MFA or handle them poorly. Microsoft has been moving organisations towards modern authentication, and it is worth checking whether any older apps or devices are still using legacy sign-in routes.
Ask your IT support or administrator to:
- review sign-in logs to see if older protocols are still being used
- disable legacy authentication for mail protocols that are not required
- plan replacements for any older devices or apps that still rely on it
This closes off a whole category of password-only attacks.
Keep admin accounts rare and separate
People with admin rights can change security settings, create forwarding rules and grant permissions to other mailboxes. That makes them prime targets.
Good practice is to:
- use dedicated admin accounts that are not used for day-to-day email
- protect all admin accounts with MFA and stricter sign-in rules
- limit who has admin roles and review those roles regularly
The fewer powerful accounts you have, the smaller your high-impact attack surface.
Harden your Microsoft 365 mailboxes
Once your sign-in layer is stronger, focus on making each mailbox less useful to an attacker and more likely to flag suspicious behaviour.
Strengthen anti-phishing and spam protection
Microsoft 365 allows you to tune anti-phishing, anti-spam and anti-malware policies. These can:
- flag messages that fail authentication checks or come from lookalike domains
- add warning banners for external senders or higher-risk messages
- quarantine suspicious mail instead of quietly delivering it
Ask your IT provider to review:
- whether your policies go beyond the defaults
- whether impersonation protection is enabled for key roles such as directors and finance staff
- whether users see clear, understandable warnings when something looks off
A slightly more assertive configuration can remove many low-quality phishing attempts before they land in inboxes.
Block risky forwarding and mailbox rules
Attackers often add mailbox rules after a compromise, for example:
- forwarding all mail to an external address they control
- hiding messages that include words such as ‘payment’ or ‘invoice’
- deleting copies of sent messages so staff cannot see what went out
You can reduce this risk by:
- blocking or restricting automatic forwarding to external domains
- enabling mailbox auditing so rule changes are logged
- setting alerts for unusual forwarding patterns or rule creation
Even simple checks, such as reviewing mailbox rules after any suspected incident, can catch abuse early.
Turn on logging and alerting
Logs only help if they exist before an incident. In Microsoft 365, make sure that:
- mailbox audit logging is enabled for all users
- sign-in logs are retained for a sensible period
- alert policies exist for repeated failed sign-ins, suspicious inbox rules and mass forwarding
You do not need a full security operations centre to benefit. Even monthly reviews, or alerts that route to a support desk, are better than staying blind. This is often included within an ongoing support model like Managed IT Services, where monitoring and incident handling are clearly owned.
Change how your organisation handles money-related email
Technology alone cannot stop business email compromise. Many attacks succeed because a manipulated email is enough to move money. That means you also need a couple of process changes.
Never rely on email alone to change payment details
A common pattern in BEC cases looks like this:
- attacker gains access to a supplier or customer mailbox
- they monitor real conversations
- when a payment is due, they send a believable message asking for new bank details
To reduce risk, make it policy that:
- any change to bank details is confirmed using a second, independent channel, such as a known phone number
- new suppliers go through a simple verification checklist before first payment
- staff know they will never be criticised for double-checking an unusual request
These checks slow fraud down without adding much overhead.
Set clear rules for high-value or urgent requests
BEC attackers often use urgency and authority, such as pretending to be the managing director asking for a quick ‘confidential’ transfer.
Counter this with simple controls:
- require a second approver for payments above a set threshold
- verify urgent, unusual transfers by phone with the requester
- train leaders not to ask for exceptions to these rules by email
Over time, this creates a culture where no single email can move large sums of money without friction.
Train staff to spot and report suspicious activity
Your team are both the main target and your best defence. Training does not need to be technical or dramatic. It should focus on patterns they are likely to see.
Helpful topics include:
- what business email compromise looks like in practice
- examples of fake invoice, supplier change and ‘CEO fraud’ emails
- simple checks to run before acting on money-related requests
- how to report something that feels off, without fear of blame
Short, regular reminders often work better than one long annual session. Unite provides Huntress Managed Security Awareness Training that delivers bite-sized monthly modules on topics like BEC, phishing and payment fraud, with simulated attacks to test what staff have learned in a realistic but safe environment. Encourage people to share near misses, anonymised where needed, so others can learn.
A simple Microsoft 365 mailbox security checklist
You do not need to fix everything at once. Start by reviewing a core set of controls.
Identity and access
- MFA enforced for all users, including admins
- legacy and basic authentication disabled wherever possible
- admin accounts separated from normal mailboxes
Mailbox protection
- anti-phishing and anti-spam policies tuned beyond defaults
- impersonation protection set for key roles
- automatic forwarding to external addresses restricted
- mailbox audit logging enabled
Monitoring and response
- alerts for repeated sign-in failures and suspicious rules
- clear process for what to do if a mailbox is suspected compromised
- regular review of security reports in the Microsoft 365 admin centre
Business process controls
- call-back checks for any change to bank details
- dual approval for higher-value payments
- simple written policy staff can refer to when unsure
Even partial progress on this list raises the bar for attackers.
Turning mailbox security into a normal part of running the business
For most SMEs, the biggest obstacle is not knowing the risks exist, it is finding the time and confidence to address them. Security can feel like an extra project that never quite reaches the top of the list.
A more manageable approach is to treat Microsoft 365 mailbox security as routine housekeeping, similar to checking backups or reviewing insurance. That might mean:
- setting aside a small block of time each quarter to review key settings and alerts
- asking your IT support to provide a simple report on sign-in security and mailbox rules
- gradually tightening controls as your team becomes comfortable with the changes
Handled this way, locking down your Microsoft 365 mailboxes becomes less about reacting to scare stories and more about quietly reducing risk in the background.
Next steps
If you want to stop business email compromise, focus on three areas: stronger sign-ins, hardened mailbox controls, and payment verification processes that do not rely on email alone. These steps are realistic for most SMEs and make it much harder for criminals to hijack conversations and redirect money.
Not sure where to start? Book a short conversation with the Unite team about Microsoft 365 mailbox security and business email compromise prevention. We can help you review your current setup, prioritise practical changes and support ongoing monitoring so safer choices become the default.