🚨 The threat has evolved

AI-Powered Business Email Conversation Compromise
How attackers use AI to take over your email, watch your conversations, and steal your money.

BEC is no longer one phishing email. In 2025-2026 it is an AI agent impersonating you across a multi-turn conversation, voice-cloning your CFO, joining your Zoom calls as a deepfake, and replying to your team in real time while it drains your bank account. $2.8 billion lost in 2024 alone. The good news: every step is preventable with the right controls.

Build the Preventative Controls Now with Cyvatar → Run a Free Exposure Scan
📊 FBI IC3 2024 Annual Report 📊 Verizon DBIR 2025 📊 Microsoft Security 2026 📊 Abnormal Security 2025
$2.8B
BEC losses reported to FBI IC3 in 2024. The 2nd-costliest cybercrime category.
Source: FBI IC3 2024 Annual Report (Apr 2025)
82%
of phishing emails in 2025 are now AI-generated. Exceeding human-written attacks for the first time.
Source: SecuredIntel 2025 analysis
1,265%
rise in phishing email volume since ChatGPT launched. AI removes the typos and bad grammar that used to give phishing away.
Source: SlashNext / Infosecurity Magazine
62%
of Microsoft-blocked phishing in mid-2025 came from a single Phishing-as-a-Service kit. Tycoon 2FA. That bypasses MFA via session-token theft.
Source: Microsoft Security Blog (Mar 2026)
$1.1B
U.S. Deepfake fraud losses in 2025. Triple 2024's $360M. Voice-clone attacks now average $243K per incident.
Source: Keepnet Labs 2026 deepfake report
31%
of all global cyber-insurance claims in 2025 came from BEC. The leading single cause of cyber losses.
Source: Insurance Times 2025
83%
of large enterprises hit by Vendor Email Compromise (VEC) in 2024. VEC engagement is 90% higher than regular BEC.
Source: Abnormal Security 2025
98.5%
of VEC scams go entirely unreported. Usually discovered only after the money is gone.
Source: Abnormal Threat Report 2025
What's different in 2025-2026

BEC stopped being one email. It is now a conversation, and an AI is running it.

The old BEC playbook was: send one spoofed email asking finance to wire money. Modern BEC is fundamentally different. Attackers take over a real mailbox, study the victim for weeks, then deploy an AI agent that reads incoming replies and responds in the victim's tone in real time. It can sustain a 12-email thread with your CFO while simultaneously running 1,000 other victims. This is AI-Powered Business Email Conversation Compromise, and traditional defenses were not designed for it.

🎙️

Voice cloning from 3 seconds of audio

Attackers scrape a LinkedIn video, podcast clip, or voicemail greeting, then clone the executive's voice. "Call to verify" no longer works if the voice on the line is fake.

$243K average loss per voice-clone fraud. Keepnet 2026
📹

Live deepfake video calls

Arup (Hong Kong, Feb 2024): a finance employee wired $25.6M across 15 transactions after a Zoom call where every other "executive", including the CFO. Was an AI-generated deepfake. Singapore (Mar 2025): same playbook, $499K.

Multiple sources; Arup case widely cited 2025-2026
🤖

AI agents replying in your voice

An LLM reads the victim's sent items, learns their tone, vocabulary, and signature, then replies to incoming questions in real time while the human attacker focuses on the wire transfer. The victim's team never hears from a non-fluent attacker.

82% of 2025 phishing now AI-generated. SecuredIntel
🔓

MFA bypass at industrial scale

Phishing-as-a-Service kits (Tycoon 2FA, EvilProxy, Sneaky 2FA, Mamba 2FA) sit between the victim and the real M365 / Google login page, capture the password and the session cookie, and skip the MFA prompt entirely. Tycoon 2FA alone accounted for 62% of Microsoft-blocked phishing in mid-2025.

Microsoft Security Blog, Mar 2026
🎯

Hyper-personalization at scale

One attacker now runs thousands of parallel BEC conversations. LLMs draft individually tailored emails referencing each victim's actual vendors, projects, and pending invoices. Scraped from compromised inboxes and OSINT.

Verizon DBIR 2025: pretexting nearly doubled, overtook phishing in BEC
📨

Conversation hijacking, not new emails

Attackers no longer send obvious "new" emails. They reply inside legitimate threads with vendors and clients, often from a look-alike domain (one-character typosquat or Unicode homograph). Your team sees a familiar thread and trusts it.

Abnormal Security 2025: VEC engagement 90% higher than BEC
The five-step attack chain

How an AI-powered BEC actually unfolds.

Every modern BEC follows the same five phases. Each phase has specific technical controls that can stop it. If you understand the chain, you know where to invest.

1
🎣
Compromise

AiTM phishing kit steals session cookie. MFA bypassed.

2
👁️
Watch

Hidden inbox rules forward your email. AI reads everything.

3
🧠
Identify

Map your vendors, approval workflows, pending invoices.

4
🎭
Strike

Look-alike domain or hijacked thread changes wire instructions.

5
💰
Drain

Wire transfers (88% of BEC) sent before anyone notices.

Phase 1Compromise. Getting in past MFA

Phase 2Watch. Silent persistence inside the mailbox

Phase 3Identify. Reconnaissance inside your inbox

Phase 4Strike. The money-movement message

Phase 5Drain, and the Financial Fraud Kill Chain race

The controls that actually stop AI-BEC

10 controls that prevent AI-powered BEC.

Each control with exactly where to configure it in Microsoft 365 and Google Workspace, and why it matters in the AI era. The first six stop the attack chain. The last four catch it if the first six fail.

01

Phish-resistant MFA on every account (FIDO2 hardware keys)

SMS OTP, authenticator-app OTP, and push notifications are all defeated by AiTM phishing kits. FIDO2 hardware keys (YubiKey, Titan, Feitian) bind the credential to the legitimate domain. A Tycoon 2FA reverse-proxy phishing page cannot complete the challenge.

Microsoft 365
Entra ID → Security → Authentication methods → enable "Passkey (FIDO2)" + create Conditional Access policy requiring phish-resistant MFA
Google Workspace
Admin Console → Security → Authentication → 2-Step Verification → "Only security keys" + enroll in Advanced Protection Program
Source: CISA phishing-resistant MFA guidance
02

Disable external auto-forwarding tenant-wide

The #1 way attackers maintain silent persistence. An auto-forward rule sends a copy of every inbound message to the attacker even after the victim's password is rotated. Block it at the tenant level, not the user level. Most users have no business reason to auto-forward externally.

Microsoft 365
Defender → Email & collab → Anti-spam → Outbound spam policy → AutoForwardingMode = Off. Also: Set-RemoteDomain Default -AutoForwardEnabled $false
Google Workspace
Admin Console → Apps → Google Workspace → Gmail → End User Access → Disable "Automatic forwarding"
Source: Microsoft Defender. Outbound spam policies
03

Out-of-band callback verification for every money movement

Phone-back to a number from your vendor master file, never the number in the email. In the deepfake era, voice alone isn't enough. Pair the callback with a pre-shared codeword or specific shared-history question the AI can't answer. Required for: every wire, every ACH change, every banking-detail update, every "send gift cards" request.

Procedural (M365 + Google)
Document in your money-movement runbook. Approval matrix by dollar threshold. Sign-off log. Download the Manual Controls Playbook below.
Technical layer
Add DLP rules that flag outbound mail mentioning "wire", "ACH", "banking change" for second approval
Source: FBI IC3 BEC PSA
04

Continuously audit inbox rules + ForwardingSmtpAddress

Run this every week. Look for rules with single-character names, rules that forward externally, rules that move messages to RSS Subscriptions/Conversation History/Junk, and any ForwardingSmtpAddress set on a mailbox. These are the classic indicators of a compromised mailbox.

Microsoft 365 (PowerShell)
Get-Mailbox -RecipientTypeDetails UserMailbox | Get-InboxRule | Where {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo}
Google Workspace
Security Center → Investigation Tool → search "Email forwarding" + filter for external destinations
Source: Microsoft. Responding to compromised mailbox
05

DMARC at p=reject with SPF + DKIM aligned

Stops external attackers from spoofing your domain to your own employees or to your customers. P=quarantine is not enough. Quarantine sends suspicious mail to spam, where employees still see and trust it. p=reject blocks delivery entirely.

DNS (registrar)
TXT record at _dmarc.yourdomain.com: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100
Verify free
cyvatar.ai/email-impersonation-test
Source: RFC 7489 (DMARC) + CISA DMARC guide
06

Block legacy authentication + enforce Conditional Access

Legacy authentication protocols (IMAP, POP3, basic auth SMTP) do not support MFA. Attackers explicitly target these. Block them tenant-wide, then layer Conditional Access requiring trusted device + compliant location + phish-resistant MFA for high-risk actions.

Microsoft 365
Entra ID → Conditional Access → "Block legacy authentication" policy. Then policy: "Require phish-resistant MFA for all users"
Google Workspace
Admin → Security → Access and data control → Context-Aware Access → require security key + corporate device
Source: Microsoft CA. Block legacy auth
07

Look-alike domain monitoring + defensive registration

Attackers register typosquats (cyvater.ai), Unicode homographs (Cyrillic "а"), and alternate TLDs (.co, .email) days before launching BEC. Continuous monitoring catches the registration so you can block the domain at your email gateway before the first phish arrives.

Tooling
DNSTwist (open source), DomainTools, Bolster, Mimecast Brand Exploit Protect, Cyvatar External Exposure Scan
Defensive registration
Pre-register obvious typosquats of your primary domain on day one. ~$15/yr per domain, infinite ROI when one prevents a BEC.
Source: Cyvatar External Exposure Scan (free)
08

AI-aware inbound email filtering

Traditional signature-based email gateways are blind to LLM-written BEC. No malicious links, no malware attachments, no spelling tells. AI-aware gateways (Abnormal, Microsoft Defender for O365 with AI, Mimecast, Cloudflare Email Security) detect tonal anomalies, impersonation patterns, and behavioral deviations from learned baselines.

Microsoft 365
Microsoft Defender for Office 365. Enable Safe Links, Safe Attachments, ZAP (Zero-hour Auto Purge), Attack Simulation Training
Google Workspace
Admin → Security → Gmail safety → enable Advanced phishing & malware protection + Enhanced pre-delivery scanning
Source: Abnormal Security BEC research
09

Mailbox audit logging exported to SIEM

When (not if) you have an incident, you need 90+ days of mailbox activity to reconstruct what the attacker did, what they saw, what they sent. Enable mailbox auditing for every mailbox and ship the logs to a SIEM with alerting on suspicious patterns.

Microsoft 365 (PowerShell)
Set-OrganizationConfig -AuditDisabled $false + Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Google Workspace
Admin → Reporting → Audit logs → enable + ship via Workspace Migration / BigQuery export to your SIEM
Source: Microsoft Purview. Audit log
10

Phishing simulations + a written money-movement playbook

Quarterly phishing simulations specifically targeted at finance, AP, and executive admins. The people who actually move money. Pair with a printed money-movement playbook: callback verification, pre-shared codeword, approval matrix by dollar threshold, IR quick card for when something goes wrong.

Microsoft 365
Defender for Office 365 → Attack Simulation Training (built-in)
Tooling
KnowBe4, Curricula, Cofense PhishMe, Hoxhunt, and Cyvatar Human Risk Protection (managed simulations + remediation)
Source: CISA phishing guidance
Free download. Built for finance + IT + execs

📋 Cyvatar BEC Manual Controls Playbook

The procedural controls that stop AI-BEC even when your tools fail. Drop your email and we'll send you the full PDF. Customized with your company name and ready to circulate to finance, AP, and the executive team.

No follow-up sequence unless you ask. We use your email only to send the playbook + (optionally) walk through it with a Cyvatar advisor.

If you think you've been hit

Detection commands. Find the rules attackers leave behind.

Run these this week. If you find any of these indicators, treat that mailbox as compromised and rotate the password + revoke all sessions + audit OAuth grants immediately.

Microsoft 365. Find every forwarding inbox rule across all mailboxes
# Connect first: Connect-ExchangeOnline
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |
  ForEach-Object {
    Get-InboxRule -Mailbox $_.Identity |
      Where-Object { $_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage }
  } | Format-Table Mailbox,Name,ForwardTo,RedirectTo,DeleteMessage
Microsoft 365. Find mailboxes with ForwardingSmtpAddress (Outlook UI can't see these)
Get-Mailbox -ResultSize Unlimited |
  Where-Object { $_.ForwardingSmtpAddress -ne $null -or $_.ForwardingAddress -ne $null } |
  Format-Table DisplayName,UserPrincipalName,ForwardingSmtpAddress,ForwardingAddress,DeliverToMailboxAndForward
Microsoft 365. Verify mailbox audit logging is enabled
Get-OrganizationConfig | Format-List AuditDisabled,UnifiedAuditLogIngestionEnabled
Get-Mailbox -ResultSize Unlimited |
  Where-Object { $_.AuditEnabled -eq $false } |
  Format-Table DisplayName,UserPrincipalName,AuditEnabled
Microsoft 365. Find suspicious OAuth app grants
Get-MgUserOauth2PermissionGrant -All |
  Where-Object { $_.Scope -match "Mail\.Read|Mail\.ReadWrite|Mail\.Send" }
Google Workspace. Investigation Tool query for forwarding
# Admin Console → Security → Investigation Tool → Source: Gmail log events
# Filter: Event = "Forwarding address added"  OR  Event = "POP/IMAP enabled"
# Time range: last 90 days
# Then for each finding: confirm the user authorized it, or revoke + rotate.
Classic indicators of compromise. Look for these inbox rule patterns
# Rule names that scream "hidden":
"."    " "    ".."    "a"    "b"    (single character / single dot / blank)

# Rule actions that scream "exfiltration":
ForwardTo: external email address
Move to folder: RSS Subscriptions, Conversation History, Junk, Archive
MarkAsRead + Delete

# Mailbox-level red flags:
ForwardingSmtpAddress set
AuditEnabled changed to $false in last 90 days
New OAuth grant with Mail.* scope to an unknown app
Recent real-world losses

What AI-powered BEC actually costs in 2025.

Selected incidents that defined the AI-BEC threat landscape this year.

$25.6M
Arup. Hong Kong
February 2024 · video deepfake

Finance employee wired 15 separate transactions totaling $25.6M after a Zoom call where every other "executive", including the CFO. Was an AI-generated deepfake. Now the canonical reference case for every 2025-2026 BEC analysis.

Widely reported; CNN, FT, Reuters 2024-2025
$499K
Multinational firm. Singapore
March 2025 · video deepfake

Finance director joined what appeared to be a routine Zoom call with senior leadership. The CFO requested an urgent $499K transfer. None of the executives on the call were real. Every face was a deepfake; every voice was AI-generated.

CyberFlow + multiple 2025 reports
$1.1B
U.S. Deepfake fraud losses (total, 2025)
2025 · 3× year-over-year

Total U.S. Deepfake fraud losses reached $1.1 billion in 2025. Triple 2024's $360 million. Average loss per voice-clone-only attack: $243,000.

Keepnet Labs 2026 deepfake report
30M
Phishing emails / month. Tycoon 2FA
Mid-2025 · single PhaaS platform

One Phishing-as-a-Service platform. Tycoon 2FA. Drove 30 million malicious emails Microsoft blocked in a single month, accounting for ~62% of all Microsoft-blocked phishing in mid-2025. PhaaS makes AiTM attacks accessible to non-technical criminals.

Microsoft Security Blog Mar 2026
$300M
VEC attempted theft. Last 12 months
2024-2025 · vendor email compromise

Attackers attempted to steal more than $300 million via vendor email compromise (VEC) in 12 months. 83% of large enterprises experienced a VEC attack in 2024. 98.5% of VEC scams go unreported until the money is gone.

Abnormal Security 2025
$2.8B
Total U.S. BEC losses. 2024
FBI IC3 2024 Annual Report

21,442 BEC complaints to FBI IC3 in 2024 totaling $2.8 billion in confirmed losses. The 2nd-most-costly cybercrime category. Cumulative 2022-2024: nearly $8.5 billion.

FBI IC3 2024 Annual Report
The fine print most boards miss

Cyber insurance and the law will not save you.

Two adjacent surprises every executive learns the hard way after a BEC: how little your cyber policy actually pays out for BEC, and how AI-specific fraud regulation is still scrambling to catch up.

💰 Cyber-insurance reality (2025)

BEC was the #1 cause of cyber-insurance claims globally in 2025. 31% of all incidents. But the payout is rarely full:

Read your social-engineering rider carefully before you need it.

⚖️ AI-fraud legislation is still catching up

In 2025-2026, the regulatory frame around AI-enabled BEC is fragmented and evolving fast:

Bottom line: legislation describes the threat; it does not stop it. Your controls have to.

Map the attack to the defense

How Cyvatar prevents AI-BEC. Phase by phase.

Every step of the AI-BEC attack chain maps to a Cyvatar solution that prevents it, detects it, or contains it. We deploy these in 30 days, manage them for you continuously, and prove your posture quarterly.

Attack phase What the attacker does How Cyvatar stops it
1 · Compromise AiTM phishing kit (Tycoon 2FA, EvilProxy) steals session cookie → MFA bypassed MFA Phish-resistant MFA (Okta + FIDO2) with Conditional Access enforced. ESM AI-aware inbound filtering blocks the phish before it lands. SAT-F + HRP Quarterly simulations tuned to current AiTM lures.
2 · Watch Hidden inbox rules forward mail; ForwardingSmtpAddress set; OAuth grants to attacker apps UAM Red Canary User Account Monitoring detects unusual login + impossible-travel + suspicious OAuth. SDL SIEM Data Lake captures mailbox audit logs continuously. Agentic vCISO Weekly forwarding-rule audits + tenant hardening.
3 · Identify AI agent reads inbox, maps vendors, finds pending invoices, learns approval workflow UAM Detects anomalous mailbox-read patterns (mass searches of "wire", "ACH", "invoice"). SDL Behavioral baselines per user flag deviations. DSM DLP rules on outbound finance correspondence.
4 · Strike Look-alike domain or hijacked thread requests "banking change". Possibly backed by voice clone or deepfake video TVM-W Continuous look-alike + typosquat domain detection (Cyvatar external scan). ESM Tone-anomaly + impersonation detection blocks the message. HRP + Manual Controls Playbook: pre-shared codeword + callback verification defeats voice clones.
5 · Drain Wire moves to mule network; Financial Fraud Kill Chain race starts Agentic vCISO 24/7 IR coordination. Bank notification, IC3 filing, evidence preservation. Assure Booz Allen Hamilton IR partnership for major incidents. CSM Cloud workload monitoring catches lateral movement if it spreads beyond mailbox.
0 · Foundation (Required underneath all five phases) SEM Endpoint protection (SentinelOne + Red Canary 24/7 MDR) blocks credential-theft malware. TVM Continuous vulnerability scanning + remediation across the perimeter. Policy library 54 customized security policies covering AUP, IR, vendor management, banking controls.

Don't wait for the wire to go out.
Build the preventative controls now.

Cyvatar deploys the full AI-BEC defense stack in 30 days. Phish-resistant MFA, AI-aware email filtering, user account monitoring, continuous forwarding-rule audits, vendor risk monitoring, and a 24/7 IR partnership with Booz Allen Hamilton. Seven years. 226 customers. Zero major breaches or ransomware.

📞 Talk to a vCISO. 15 min, no pitch Run a free exposure scan

Or call 855-520-9966