Home
Case Study
BEC Exhibitor Payment Redirect Case
8 min read

Investigating a Business Email Compromise That Redirected an Exhibitor Payment

Published on
March 6, 2026
Incident Type
Business Email Compromise
Payment Redirected
$5,562.50
Attack Method
Domain impersonation
Systems Compromised
None

Table of contents

Heading 2
Heading 2
Heading 2
Heading 2
Heading 2
Heading 2
Heading 2

Want to work with CyberQuell?

Book a Consultation

Executive Summary

A global trade show organiser discovered that an exhibitor’s booth deposit payment had been redirected to a fraudulent bank account through a Business Email Compromise (BEC) attack.

The attacker impersonated internal sales staff using a lookalike email address and issued a modified invoice containing altered banking instructions. Because the fraudulent message referenced real operational details and appeared within an existing email conversation, the organisation initially feared that their Microsoft 365 environment had been compromised.

CyberQuell was engaged to investigate the incident, determine whether internal systems had been breached, and identify the root cause of the fraud.

Following a forensic review of Microsoft 365 authentication logs, mailbox activity, and email infrastructure, CyberQuell confirmed that the attack originated externally through domain impersonation and social engineering. No evidence of internal compromise was identified.

Client Environment

The client operates a large international trade show that brings together exhibitors, booking agents, and partners from multiple countries.

Operational workflows include:

  • exhibitor registration and booth reservations
  • invoice-based payment for event participation
  • coordination between booking agents and internal sales teams
  • cross-border financial transactions

The organisation relies heavily on Microsoft 365 email communication for operational coordination and financial transactions, making email a critical component of daily business processes.

Industries that rely on email-driven financial workflows are frequently targeted by Business Email Compromise attacks, where attackers attempt to redirect legitimate payments.

Incident Trigger

The incident began when a booking agent contacted the organiser’s finance department to confirm receipt of a booth deposit payment.

Finance confirmed that no payment had been received.

When the invoice used for payment was reviewed, it became clear that the bank account information did not match the organisation’s official payment details.

This raised immediate concerns that the exhibitor had been deceived into transferring funds to a fraudulent account.

Security Concern

The fraudulent invoice appeared highly convincing. It included:

  • correct exhibitor name
  • correct booth number
  • legitimate event branding
  • accurate employee names and titles

More concerning, the fraudulent message continued an existing email conversation thread between the parties.

Because the attacker referenced real operational details, leadership needed to determine whether:

  • an internal mailbox had been compromised
  • attackers were monitoring email communications
  • additional financial fraud attempts were underway

CyberQuell was engaged to determine whether a security breach had occurred.

Attack Anatomy

The attacker executed a domain impersonation attack designed to mimic legitimate internal communication.

The organisation’s legitimate email format was:
firstname.lastname@companydomain.com

The attacker created a fraudulent address structured as:
firstname.lastname.companydomain@mail.com

By placing the company name before the ‘@’ symbol and using a free email provider, the attacker created an address that appeared legitimate at a quick glance.

Key Elements of the Attack:

  • Impersonation of internal sales staff
  • Continuation of an existing email thread
  • Social engineering claim that the organisation was migrating its email domain
  • Use of a modified invoice template
  • Alteration of only the bank remittance details
  • Direction of payment to fraudulent UK-based bank account

Technical Root Cause Breakdown

Factor Description
Domain Impersonation Attacker created a lookalike email address using a free mail provider
Conversation Hijacking Fraudulent messages continued an existing email thread
Invoice Manipulation Legitimate invoice template reused with modified banking details
Social Engineering Attacker claimed the organisation was migrating its email domain

CyberQuell Investigation

CyberQuell conducted a structured investigation to determine whether attackers had compromised the organisation’s Microsoft 365 environment. The investigation focused on identifying potential indicators of account compromise, unauthorised mailbox access, or suspicious authentication activity.

Phase 1 - Incident Triage

Initial steps included:

  • collecting relevant email communications
  • documenting attacker email addresses and infrastructure
  • reviewing the fraudulent invoice
  • identifying potential indicators of compromise

CyberQuell also advised the organisation to initiate fraud reporting procedures with relevant financial institutions.

Phase 2 - Microsoft 365 Forensic Review

CyberQuell performed a detailed review of Microsoft 365 security telemetry, including:

  • Azure AD sign-in logs
  • mailbox audit logs
  • forwarding rules
  • delegated mailbox access
  • OAuth application permissions
  • suspicious login geolocations
  • abnormal authentication patterns

The objective was to determine whether attackers had gained access to internal mailboxes.

Phase 3 - Validation

Following analysis of authentication activity and mailbox behaviour across the relevant accounts, CyberQuell confirmed that:

  • no suspicious login events were detected
  • no abnormal authentication patterns were present
  • no unauthorised mailbox access occurred
  • no malicious forwarding rules were configured
  • no unauthorised OAuth applications had been granted access

The investigation concluded that the organisation’s Microsoft 365 tenant had not been compromised.

CyberQuell's Investigation Approach

When financial fraud occurs through email impersonation, the most critical question is whether the attacker gained access to internal systems. CyberQuell approaches incidents like this with a structured investigation designed to confirm or rule out internal compromise. The investigation focused on three core areas:

Identity Security
Authentication logs were reviewed to identify suspicious sign-ins, unusual geolocation activity, or abnormal login patterns that could indicate compromised accounts.
Mailbox Activity
Mailbox audit logs and email forwarding configurations were analysed to determine whether attackers had gained access to internal email conversations.
Application Access
Third-party application permissions and OAuth authorisations were reviewed to detect any unauthorised integrations that might allow attackers to monitor email activity.

Key Findings

The fraud was executed through external domain impersonation and social engineering, rather than through a breach of the organisation’s internal systems.

The attacker did not gain access to internal mailboxes. Instead, they leveraged a convincing impersonation email and manipulated the payment process by altering bank details within a fraudulent invoice.

This type of attack is commonly known as invoice diversion fraud, a form of Business Email Compromise.

Immediate Improvements
  • Enabling anti-impersonation protections in Microsoft Defender for Office 365
  • Implementing DMARC enforcement to reduce domain spoofing
  • Deploying external sender warning banners
  • Monitoring for lookalike domains referencing the organisation
Operational Improvements
  • Implementing out-of-band verification for payment changes
  • Requiring confirmation via phone before processing new payment instructions
  • Strengthening invoice distribution procedures

Business Impact

CyberQuell’s investigation provided immediate clarity during a potentially high-risk security event.

The organisation was able to:

  • confirm that no internal breach had occurred
  • avoid unnecessary tenant-wide remediation
  • document the incident for financial and insurance purposes
  • strengthen defences against future Business Email Compromise attempts

Key Lessons

Business Email Compromise attacks often rely on impersonation rather than system intrusion.
Domain impersonation can deceive recipients when attackers mimic existing communication threads.
Financial workflows relying solely on email create opportunities for payment diversion fraud.
Payment instructions should always be verified through a secondary communication channel.

Frequently Asked Questions

What is Business Email Compromise?

Business Email Compromise is a cyber fraud technique where attackers impersonate trusted individuals or organizations to trick victims into transferring money or sensitive information.

Does a BEC attack mean an email account was hacked?

Not necessarily. Many BEC attacks rely entirely on impersonation rather than a breach of an organisation’s email systems. Attackers can deceive victims using lookalike email addresses without ever gaining access to internal accounts.

How can organisations prevent invoice diversion attacks?

Organisations should implement payment verification procedures, anti-impersonation email protections, and domain authentication technologies such as DMARC. Any change to payment instructions should be confirmed through a separate communication channel before funds are transferred.

Protect Your Business from Cyber Threats

Get in touch with our cybersecurity experts to discuss your security needs and solutions.

Book a Free 15 Min Consultation

Ready to see what we can do for your business?

Take the first step by filling out our project form below, and someone from our team will reach back to you within two business days.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.