Business Email Compromise cost organizations $2.9 billion in 2023 according to the FBI’s IC3 report. It’s not a sophisticated zero-day exploit — it’s an attacker who gets a user’s credentials (usually via phishing), then quietly sets up email forwarding to exfiltrate data, creates inbox rules to hide evidence, and grants themselves delegate access that survives password resets.
The problem? These persistence mechanisms are invisible in normal admin dashboards. Exchange Online doesn’t surface “who has forwarding enabled” in a single view. There’s no built-in alert when an inbox rule silently deletes security notifications. By the time the damage is noticed, the attacker has been reading every email for weeks.
Audit My Tenant now scans every user mailbox during routine compliance scans and surfaces three critical BEC indicators:
Mailbox Forwarding — Identifies users with SMTP forwarding configured to external addresses. This is the primary data exfiltration mechanism in BEC attacks. The dashboard immediately flags external vs. internal forwarding, shows the forwarding type (SMTP, inbox rule, or transport rule), and whether a copy is retained in the mailbox.
Suspicious Inbox Rules — Analyzes per-user inbox rules for patterns that indicate compromise: rules that forward or redirect to external addresses, rules that auto-delete messages (hiding evidence), rules that move and mark-as-read (suppressing notifications), and broad-match rules with no conditions that apply to all incoming mail. Each rule is evaluated and flagged with specific reasons.
Delegate Access — Enumerates mailbox delegates (SendAs, SendOnBehalf, FullAccess) and flags external delegates. Attackers commonly grant themselves delegate access because it persists after password resets and MFA re-enrollment — it’s the most durable form of persistence in Exchange Online.
When a tenant is clean, the dashboard shows a clear “All Clear” confirmation. When indicators are found, it shows exactly which users are affected, what the risk is, and what to investigate.
The second new tool addresses another growing attack vector: illicit consent grants. Attackers register malicious applications that request broad permissions (Mail.ReadWrite.All, Directory.ReadWrite.All), trick an admin into consenting, and then use those permissions to access tenant data programmatically — no credentials needed.
The App Permission Audit inspects every third-party enterprise application registered in Entra ID:
Directory.ReadWrite.All and AppRoleAssignment.ReadWrite.All are automatically flagged with severity ratings (Critical, High, Medium)Microsoft built-in service principals (Azure MFA, Cortana, Teams, etc.) are automatically filtered — you only see apps that matter.
Both tools run automatically as part of every Audit My Tenant compliance scan. No additional configuration needed — if the required Graph API permissions are granted, the data populates automatically. BEC indicators and app permission risks feed into the same findings pipeline as all other compliance checks, with framework mappings to NIST 800-53 and MITRE ATT&CK.
The new pages live under Microsoft 365 → BEC Detection and Microsoft 365 → App Permissions in the Audit My Tenant dashboard, alongside comprehensive Scan Guide documentation that explains what each check does and how to verify findings.
These additions bring Audit My Tenant to 1,554 active security rules across 100 best practice checks, CIS benchmarks for M365, Azure, Intune, Edge, Defender, and Office, plus NIST 800-53 and MITRE ATT&CK framework mappings. Every rule includes a description, audit steps, remediation guidance, and framework cross-references.
BEC Detection and App Permission Audit are available now in all Audit My Tenant plans.