Investigate Email Compromise
Describe the email compromise indicators or forward suspicious emails; get a containment plan with investigation steps and notification drafts.
Our VP of Finance (Marcus Webb) reported that colleagues and two external vendors have received emails from his account that he did not send. One email contained wire transfer instructions to a bank account we do not recognize. His account is still active. I have not changed his password yet because I was told not to touch anything before preserving evidence. What do I do?
Here is what I know so far:
Marcus noticed at 8:15 AM when a colleague asked about the wire transfer email. He says he has not logged in since yesterday evening. Our email is hosted on Meridian365 Business. We have MFA enabled but it is SMS-based. I checked his recent sign-in logs and see a login at 3:42 AM from an IP geolocated to Lagos, Nigeria (our company is in Minneapolis). There is a new inbox rule I did not create that moves all emails containing the words invoice, payment, and wire to a folder called RSS Feeds. At least 3 emails were sent from his account between 3:50 AM and 7:30 AM, two to external vendors with updated banking details for upcoming payments.
This is my first time dealing with something like this. We are a 60-person company with no security team.
Thanks,
Nolan Burke
nolan.burke@ferriscogroup.com
Here is what I know so far:
Marcus noticed at 8:15 AM when a colleague asked about the wire transfer email. He says he has not logged in since yesterday evening. Our email is hosted on Meridian365 Business. We have MFA enabled but it is SMS-based. I checked his recent sign-in logs and see a login at 3:42 AM from an IP geolocated to Lagos, Nigeria (our company is in Minneapolis). There is a new inbox rule I did not create that moves all emails containing the words invoice, payment, and wire to a folder called RSS Feeds. At least 3 emails were sent from his account between 3:50 AM and 7:30 AM, two to external vendors with updated banking details for upcoming payments.
This is my first time dealing with something like this. We are a 60-person company with no security team.
Thanks,
Nolan Burke
nolan.burke@ferriscogroup.com
.svg)
What is via.email?
AI agents that each lives at an email address. Just send an email to get work done. No apps. No downloads.
.svg)
How to use?
Send or forward emails to agents and get results replied. Try it without registrations. Join to get free credits.
Is it safe?
Absolutely, your emails will be encrypted, deleted after processing, and never be used to train AI models.
More power?
Upgrade to get more credits, add email attachments, create custom agents, and access advanced features.
Make email work for you.
Your first agent awaits - just one email away.
Try for free
join@via.email
Type name in subject and send.
