Six weeks in the AP clerk's mailbox. One swapped invoice. $185K, gone overnight.

Week one — the foothold. The AP clerk received an email styled as a Microsoft 365 password reset notice. She had been getting more spam than usual and assumed it was legitimate. She clicked the link, typed her password into a convincing copy of the Microsoft sign-in page, and then typed it again when the page told her it had failed. Two minutes later her credentials were on a credential broker's panel for $4.

Weeks one through six — the watch. The attacker logged in from a residential VPN that geolocated near her actual home. They added a single invisible mailbox rule that quietly forwarded copies of any email containing the words "invoice," "wire," "payment," or "bank" to a folder they could read remotely. They never sent an email from her account. They never deleted anything. The clerk noticed nothing.

Week six — the right invoice. A $185,000 invoice came in from the firm's primary steel supplier — a vendor relationship of eleven years, with whom they exchanged dozens of emails a month. The attacker had already seen prior invoices from this vendor and knew the format, the contact name, and the approval pattern. They waited two days, then sent a reply on the existing email thread from a near-identical lookalike domain (one letter off in the supplier's name), saying the supplier had changed banks and providing new routing details. The lookalike email referenced the actual invoice number, attached a real-looking "updated remittance instructions" PDF, and ended with the supplier rep's real email signature.

Wednesday afternoon — the wire. The AP clerk noted the bank change in her ERP, attached the PDF, and sent the wire approval to the operating partner. The partner — who was at a trade show in a different state — approved it from his phone in between meetings. The wire went out at 3:47 PM. The receiving account moved the funds through two intermediary accounts within 36 hours.

The following Thursday — the call. The real steel supplier's controller called to ask when payment was coming. The AP clerk pulled up the wire confirmation. The two numbers did not match. Within an hour the firm's bank confirmed the routing on file at the receiving account was at a small online bank the supplier had never used. By the end of the day the FBI IC3 report was filed, the bank had begun the clawback process, and the firm was on the phone with their cyber insurance broker.

Days 10 to 21 — the claim. The insurance carrier opened a claim file, requested the original application, and asked one specific question: produce evidence that MFA was enforced on the AP clerk's account on the date of compromise. The owner asked his IT vendor. The IT vendor confirmed MFA was available in the M365 tenant but had never been enforced outside of the partners. The clerk had a password and nothing else. The carrier denied the claim citing the application's representation of MFA as a material misstatement.

Day 28. The receiving bank had recovered $12,000 from the third intermediary account before the funds moved. The remainder was gone — withdrawn in cash across multiple jurisdictions over the course of a long weekend. Net loss after recovery and remediation: $270,000. Insurance contribution: zero.

Three months later. The firm renewed cyber insurance at a 90 percent premium increase, with a documented MFA enforcement attestation as a precondition. They rebuilt their AP workflow with a mandatory phone-call verification step before any change to vendor banking information. The AP clerk kept her job — none of this was her fault.

First call — preserve evidence. Before anything else, we pull a full mailbox audit log for the compromised account and freeze its state. Most BEC claims fail not because the carrier wants to deny — they fail because the evidence the carrier needs has been deleted by the IT vendor "cleaning up" the account in the first 24 hours.

Day 1 — clawback window. We coordinate with the firm's bank to file a financial fraud kill-chain (FFKC) request through FBI IC3 if it falls inside the 48-hour window. Inside the window, even partial recovery is possible; outside, almost never.

Days 2 to 5 — scope the compromise. We map every email the attacker read, every mailbox rule they created, every external IP that logged into the account, and every other account in the tenant they touched. We then sweep the rest of the organization for the same attacker indicators — BEC crews rarely compromise just one mailbox.

Days 5 to 10 — identity rebuild. We enforce MFA across every identity, not just the partners. We configure conditional access policies that require MFA on every login from outside a trusted location, enable mailbox audit logging across the tenant, set up anti-impersonation policies for the firm's top vendors and customers, and deploy a phishing-resistant authenticator for the AP and finance team.

Week 3 — finance process redesign. The technology fix is the easy part. We work with the owner's controller to redesign the AP workflow: a mandatory call-back to a known phone number before any change to vendor banking information, dual approval for wires over a threshold, and an ERP rule that flags banking changes for review at the next month-end close.

Insurance application rewrite. We help the owner's broker rewrite the next year's cyber insurance application — accurately, with evidence behind every yes. The premium still rises, but the policy now actually covers the business.