Customer portal Get in touch 020 4551 8234

From chaos to control in three hours

A phishing email triggers email hijacking and 50,000 messages a day. Invoice fraud follows. Operations are restored inside three hours.

  • Essentials
  • Immediate Incident Response
  • Business Email Compromise

At 7.43am on a Tuesday, a member of the team clicked a link in what appeared to be a supplier email. By 9am, the business had unknowingly sent fraudulent payment instructions to three clients. By 10am, the inbox was receiving 50,000 automated messages a day – rendering email completely unusable.

No one could work. Suppliers couldn’t reach anyone. Clients were already questioning payment requests they hadn’t asked for. The phone was ringing and there was nothing helpful to say.

They called us.

Three hours after sign-up, the attack had been neutralised, email was restored, and the team was back online. The full Essentials package was deployed the same day.

Key performance indicators

0hrs

from sign-up to operations restored

0

malicious emails/day blocked and neutralised

0

further incidents following full Essentials deployment

What we did to help

Our team picked up the call, assessed the situation and began working immediately – before any contract was signed. The first priority was stopping the bleeding.

We isolated the compromised account, revoked active sessions and locked out the attacker while preserving the mailbox for forensic review. Email flow was rerouted and filtering rules were implemented to neutralise the bombing campaign. Within three hours, the team had working email again.

We then deployed the full Essentials package: endpoint protection, email security, multi-factor authentication, Conditional Access, and identity management via Microsoft Entra. Security rules were configured to prevent the attack pattern from recurring. Clients were briefed with a clear, factual summary – keeping reputational damage to a minimum.

Security Awareness Training followed in the weeks after, so the human entry point that started everything was addressed, not just the technical one.

What is business email compromise?

Business email compromise (BEC) is one of the most financially damaging forms of cyber attack targeting organisations of every size. Unlike ransomware or data theft, BEC attacks are designed to be quiet – at least at first.

An attacker gains access to a legitimate email account, typically through phishing, and uses it to:

  • Monitor communications – reading threads, learning the language and relationships of the business
  • Insert fraudulent payment instructions – impersonating the business to redirect invoices or change supplier bank details
  • Impersonate senior staff – requesting urgent payments from finance teams or clients, using real context to add credibility

BEC attacks succeed because the email comes from a genuine account. There’s no suspicious sender, no typo-laden domain – just a message from someone the recipient already trusts. That’s what makes them so effective and so costly. According to the FBI, BEC causes billions in losses globally each year, and UK businesses are a primary target.

Once inside, attackers often stay undetected for weeks before making a move. Strong identity and access controls are the most reliable way to shorten that window – and to catch the intrusion before the fraud begins.

We were completely stuck. No email, clients on the phone, staff unable to do anything. Outside Help picked up, didn’t ask us to read terms and conditions, and just started fixing it. By lunchtime we were operational again.

Managing Director

What is email bombing?

Email bombing is a denial-of-service attack delivered through the inbox. An attacker floods an email address with thousands or tens of thousands of messages in a short period – sometimes automated sign-up confirmations from legitimate websites, sometimes pure spam volume.

The goal is usually to:

  • Overwhelm the inbox so that critical messages – from a bank, a supplier, a client – are buried and go unread
  • Cover the tracks of another attack happening simultaneously – in this case, the BEC and invoice fraud activity was hidden beneath the noise
  • Render email unusable so the business can’t respond, communicate or function while the attacker operates

Email bombing doesn’t require hacking. It requires only volume — and it’s extremely effective at creating chaos and buying time. Without robust email security controls, a targeted bombing campaign can bring operations to a halt within minutes.

See the full cyber security service

Threat detection, identity hardening, AI governance, incident response and compliance evidence – with the reporting to prove it all works.

Cyber security support

Warning signs of business email compromise

BEC is designed to stay hidden for as long as possible. Signs to watch for include:

  • Clients or suppliers reporting unexpected changes to bank details or payment instructions
  • Payment requests that arrive with unusual urgency or slightly different phrasing than normal
  • Emails appearing to be sent from a colleague or director you wouldn’t normally expect to hear from directly
  • An inbox flooded with spam or sign-up confirmations – often a cover for a concurrent attack
  • Login activity from unfamiliar locations or devices in your Microsoft 365 audit logs
  • A sent items folder containing emails you don’t recognise

Many businesses only discover a BEC attack when a client calls to query a payment instruction – by which point the window to recall the transfer is already closing.

What to do if you suspect business email compromise

If you believe an email account has been compromised:

  • Change the password immediately – from a separate, uncompromised device if possible.
  • Revoke active sessions in Microsoft 365 Admin or Entra – this kicks out any attacker who is currently logged in.
  • Enable MFA right now if it isn’t already active – this prevents the stolen credentials being reused even if the password has been changed.
  • Check sent items and mail rules – attackers frequently set up forwarding rules or auto-deleting rules to hide their activity and maintain access.
  • Contact any clients or suppliers who may have received fraudulent payment instructions – the faster you reach them, the more chance of recalling a transfer.
  • Call your bank and any affected suppliers’ banks – request a recall or freeze on any transactions initiated in the last 24–48 hours.
  • Report to Action Fraud – 0300 123 2040 or actionfraud.police.uk.
  • Contact your IT or managed security provider immediately for forensic review and remediation.

Speed is critical. Each hour increases the likelihood that funds are unrecoverable and that further damage is done.

How we protect businesses against BEC and email bombing

Immediate incident response

We don't put affected businesses on hold. When an active attack is in progress, we respond. That means isolating accounts, blocking attack vectors and restoring operations – before the paperwork.

Email security and filtering

Our Essentials package includes layered email protection: spam filtering, malicious link detection, impersonation protection and rules that catch the patterns BEC and bombing attacks create.

Multi-factor authentication and Conditional Access

Even if an attacker obtains valid credentials, MFA prevents them logging in from an unrecognised device. Conditional Access policies add another layer — blocking logins from unusual locations or at unusual hours and forcing verification before sensitive actions are allowed.

Identity management via Microsoft Entra

Centralised identity management gives complete visibility of who is logged into what, from where. It makes anomalous access patterns visible and makes session revocation instant – cutting off an attacker mid-attack rather than hours later.

Security Awareness Training

The entry point for this attack was a single click on a phishing link. Security Awareness Training doesn't eliminate human error, but it reduces it significantly – and trains staff to pause, question and report suspicious messages before acting on them.

Backup and recovery

In a worst-case scenario, backup and recovery means mailbox data, files and configurations can be restored. BEC attacks sometimes involve data deletion or encryption — having a clean recovery point reduces the blast radius significantly.

Common questions

  • The initial access came via a phishing email – a convincing fake that persuaded someone on the team to enter their Microsoft 365 credentials on a spoofed login page. Once the attacker had those credentials, they could log in as a genuine user. This is why MFA is non-negotiable: credentials alone should never be sufficient to access an account.

  • Because the attack came from inside. When an attacker is using a legitimate account, outbound email filters don’t flag the messages – they look genuine, because the account is genuine. Protection relies on a combination of identity controls, anomaly detection and trained staff.

  • We prioritise incidents. In this case, we were working on the problem within minutes of the call. Response time varies, but active attacks always come first.

  • Some policies cover social engineering and fraud, but many have conditions around what controls need to be in place. Checking your policy terms before an incident – and ensuring you have documented controls – is the best preparation. We can help you understand what your insurer expects to see.

  • Phishing casts a wide net — bulk emails sent to thousands of targets in the hope that someone clicks. BEC is targeted and researched: attackers choose a specific business, understand its relationships and processes, and exploit that knowledge. BEC attacks are rarer but significantly more damaging per incident.

Book a free consultation