Business email compromise

Forensic review of business email compromise.

Business email compromise often leaves traces in mailbox settings, login records, message headers, account activity, cloud records, and user devices. Rune Forensics reviews those records to help determine what happened and what can be supported.

Scope

Email records tell a story

The work can support businesses, insurers, attorneys, and internal investigation teams after suspicious email activity, fraudulent instructions, changed payment details, or account access concerns.

Common questions

Was the mailbox accessed without authorization
Were rules or forwarding settings changed
What accounts or devices were involved
When did suspicious activity begin
Were messages deleted, moved, or altered
Do the records support the reported sequence of events

Evidence sources

Mailbox audit logs
Email headers
Forwarding settings
Cloud login records
User devices
Payment instruction emails and attachments

What clients receive

A review of available email and account records
Timeline reconstruction when supported
Identification of suspicious settings or access patterns
Clear findings and limitations
Recommendations for records that should be preserved

Consultation

Request a focused review

The first step is usually preserving mailbox records, account logs, relevant messages, and devices before normal retention or synchronization changes the available evidence.

Request consultation