Petra Security

Corporate Espionage in the Cloud

The quiet side of BEC: how attackers exfiltrate data without leaving a trace.

Adithya Vellal·June 7, 2025

When most defenders hear the term BEC, they typically imagine the following sequence of events:

  • Attacker compromises an email account.
  • Attacker uses account to send out fake invoices or more phishing emails to collaborators.
  • Attacker uses inbox rules to hide activity from real user.

BEC Isn't Always Loud

But, this isn't always the case. Sometimes, attackers are after sensitive data.

E-mail is the backbone on which many businesses are run. A single employee's mailbox often contains sensitive IP, memos about internal strategy, and attachments with proprietary documents. And attackers know this.

That's why nation state actors like Void Blizzard love targeting M365 accounts.

When attackers are after data, they're not loud at all. They slip in, grab what they need, and vanish without a trace:

  • No suspicious emails sent to other accounts.
  • No inbox rules.
  • No suspicious app registrations.

We recently detected an attacker conducting corporate espionage. The attacker was only in the user's mailbox for 10 seconds.

Let's dive into the case.

Note: all identifying details in this case have been anonymized, but the relative timeline of the attacker's activity has been preserved.

A 10 Second Break-In

We caught this one while running a retrospective health check for a tenant in the oil and gas industry.

The user in question was based in Texas. Here are the logins:

Login activity showing four quick logins at 9:48 AM PDT from a Netherlands IP belonging to ISP "oxide group limited," which turned out to be a remote desktop connection.
Login activity showing four quick logins at 9:48 AM PDT from a Netherlands IP belonging to ISP "oxide group limited," which turned out to be a remote desktop connection.

At 9:48 AM PDT, we see four quick logins from an IP in the Netherlands. The ISP is oxide group limited - this IP turned out to be a remote desktop.

This is textbook impossible travel, but it's stealthy:

  • No failed logins from previous attempts to compromise the account.
  • No obviously suspicious proxy networks or VPNs.
  • No prolonged period of suspicious logins - all the malicious logins happened within a 4 second timespan.

Let's take a look at the user's Exchange mailbox logs (subjects are anonymized):

Exchange mailbox logs showing rapid access to emails with anonymized subject lines, documenting the attacker's sweep of sensitive communications.
Exchange mailbox logs showing rapid access to emails with anonymized subject lines, documenting the attacker's sweep of sensitive communications.

Within 10 seconds of logging in, the attacker rapidly accesses emails containing sensitive information and trade secrets:

  • Engineering and modeling output
  • Internal review workflows
  • Project milestone updates

This is what a programmatic, targeted search looks like.

All the mail access happened in a single second, and looked through emails from up to a year ago. The attacker got in, swept the mailbox for the information they were looking for, and got out.

Takeaway: Quick, Quiet, and Clinical.

This attacker was quick, quiet, and clinical. Here's what makes attacks like this so dangerous:

  • Attackers can take seconds. Forget hours or even minutes - this compromise took 10 seconds flat. Well-resourced attackers can move fast, particularly in the age of programmatic toolkits.
  • They leave almost no trace. No inbox rule. No phishing emails. Nothing that would trigger a traditional BEC detection. The only way to catch this is to monitor logins and mail access in real time.
  • They could've come back months later. Microsoft session tokens can last a long time. That means the attacker could've waited months before quietly returning to steal more data using their live session - and no new login events would appear in the logs.

Stealthy is the name of the game. Without the ability to stitch together subtle login and Exchange signals in real time, you're flying blind.

If you're a defender looking to reliably detect these types of stealthy attacks, schedule a demo today.

See what's in your last six months of logs.

Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.