BEC
Active incident resolved
DKIM ✓
DMARC + SPF hardened
Live incident — Business Email Compromise
During active management of this deployment, a sophisticated multi-platform BEC phishing campaign was detected targeting the organization. The attack routed through a spoofed domain at searchbriefing.com to an attacker-controlled endpoint. I led the full incident response from detection through containment and staff notification.
Overview
The challenge
Managing email security across two distinct organizational entities — DEEM and CSC — required a centralized, policy-driven approach that could enforce consistent filtering rules, handle spoofing and phishing attempts, and integrate cleanly with an existing Microsoft 365 environment.
The additional complexity: the environment needed to be hardened proactively while also being responsive enough to handle live threats as they emerged. The BEC incident put that to the test.
Incident Response
How the BEC attack was handled
1
Detection
Suspicious inbound messages identified routing through searchbriefing.com — a spoofed domain designed to impersonate a trusted sender. Pattern matched known BEC tactics.
2
Triage via Barracuda ESS & Defender
Used Barracuda's message log and Microsoft Defender Threat Explorer to trace delivery paths, identify affected mailboxes, and confirm the attacker-controlled redirect domain.
3
eDiscovery sweep via Microsoft Purview
Ran a targeted content search across all mailboxes using Purview eDiscovery to find and quarantine any messages that bypassed initial filtering during the campaign window.
4
Domain block & rule updates
Blocked the malicious domains at both the Barracuda and Defender layers. Updated inbound filtering rules to catch similar spoofing patterns going forward.
5
Staff communication
Drafted and distributed an org-wide phishing alert explaining the attack pattern, what to watch for, and how to report suspicious messages going forward.
Deployment
What was built and configured
Beyond the incident, the broader deployment involved standing up and tuning Barracuda ESS as the primary email gateway for both organizations, integrated with Microsoft 365 as the downstream mail platform.
Key configuration work included inbound/outbound policy rules, spam and phishing scoring thresholds, quarantine workflows, allow/block list management, and end-user quarantine digest configuration. On the authentication side, DKIM, DMARC, and SPF records were audited and hardened across all managed domains to reduce spoofing exposure.
Barracuda ESS
Primary email gateway
Microsoft 365
Mail platform & identity
Defender for Office
Threat detection
Purview eDiscovery
Incident sweep
DKIM / DMARC / SPF
Email authentication
Azure AD
Identity & access
Incident contained
The active BEC campaign was fully contained with no successful account compromise or financial loss. All malicious messages were identified and quarantined.
Zero breaches
Since deployment, the environment has seen zero successful phishing-related breaches across both organizations despite ongoing attack attempts.
Hardened authentication
DKIM, DMARC, and SPF fully configured and validated across all managed domains — closing the spoofing vectors that enabled the original attack.
Staff awareness raised
Org-wide phishing alert distributed, improving staff ability to recognize and report suspicious messages — turning the incident into a training moment.