The Situation
The call came on a Friday afternoon. A grant-making foundation that had wired £180,000 to the charity two weeks earlier was following up on their funding agreement. The charity's finance team had no record of receiving the payment.
The foundation provided wire transfer confirmation showing the funds had been sent successfully. The receiving account details matched an invoice the foundation had received, apparently from the charity, requesting payment to updated banking details. The charity had never sent that invoice.
Someone had compromised a charity email account, monitored correspondence with funders, and intercepted a six-figure grant payment. The internal IT team found suspicious sign-ins from Eastern European IP addresses but could not determine the full scope. The M365 audit logs showed activity but the narrative remained unclear.
Legal counsel needed a comprehensive list of accessed emails for ICO notification. The CEO needed confirmation about whether donor data had been compromised. And somewhere, £180,000 of charitable funds had vanished into a fraudulent account.
The Challenge
ICO notification requirements specify 72 hours from discovery of a personal data breach. The charity faced multiple urgent requirements: assess regulatory exposure, determine donor data status, and understand how the compromise occurred.
Manual review of M365 Unified Audit Logs is painstaking work. The internal team estimated 40 or more hours of focused analysis to filter thousands of events, correlate timestamps, and build a coherent timeline.
The £180,000 was gone, but the threat actor might still have access. Each day of uncertainty was another day they might attempt additional fraud against other funders. The charity needed answers quickly, but they also needed to be thorough.
The Investigation
Strand connected to the charity's M365 tenant within minutes. The automated forensic analysis of Unified Audit Logs completed in under 25 minutes, covering ground that would have taken the internal team over a week.
The Phishing Campaign: A Potential Donor
The attack began with a simple enquiry. Three weeks before the fraud, a fundraising team member received an email from someone claiming to represent a family foundation interested in supporting the charity's work. The email was plain text, no links, no attachments. Just questions about the charity's programmes and impact.
The email contained no malicious content and passed all security filters. Over the following two weeks, the threat actor exchanged multiple emails with the fundraising team, asking about grant application processes, funding priorities, and reporting requirements. This rapport-building phase established trust before any malicious content was introduced.
The Credential Harvest: Google Sites Abuse
After two weeks of legitimate-seeming correspondence, the threat actor sent a link to what they described as their foundation's funding guidelines. The link pointed to sites.google.com, a legitimate Google domain that bypasses most email security filters and URL reputation systems.
The Google Sites page was designed to look like a professional foundation website. It displayed a preview of a PDF document titled "Grant Application Guidelines 2025" with a button to "View Full Document." Clicking this button redirected to a Microsoft 365 login page on a lookalike domain. The victim entered their credentials believing they needed to sign in to access the document. The threat actor waited 48 hours before using the stolen credentials.
The Critical Discovery: PerfectData Software OAuth Abuse
This finding was missed by the internal review. The threat actor had granted consent to PerfectData Software, a legitimate backup application that has become one of the most abused OAuth apps in business email compromise. Darktrace and Kroll both documented this application as a primary method for mailbox exfiltration throughout 2024 and 2025.
M365 Unified Audit Log analysis revealed the operation "Consent to application" for App ID ff8d92dc-3d82-41d6-bcbd-b9174d163620 (PerfectData Software) at 2025-09-15 14:32:17. The app requested EWS.AccessAsUser.All permission, which provides full mailbox access including the ability to read, modify, and export all emails. This permission persists even after password reset. The MailItemsAccessed audit log operation confirmed 847 emails were accessed using this application. PerfectData is a legitimate tool designed for mailbox backup, but its broad permissions make it ideal for threat actors seeking to exfiltrate entire mailboxes without triggering Microsoft's native alerts.
Inbox Rules: Concealing Activity
Within minutes of gaining access, the threat actor created inbox rules to hide their activity. Emails from the IT department were automatically moved to a hidden folder. Password reset notifications were deleted immediately upon receipt.
Audit log operation "New-InboxRule" revealed two rules: "IT Updates" (matching From:contains:IT, action: move to RSS Feeds folder) and "Security" (matching Subject:contains:password OR security, action: permanent delete). These rules explained why the user had not noticed security alerts.
The Scope: 847 Emails Accessed, 23 Emails Sent
Strand generated a comprehensive list of every email accessed by the threat actor. The total was 847 emails spanning two years of correspondence. More critically, it identified 23 emails sent from the compromised account, including the fraudulent invoice to the grant-making foundation.
Analysis of MailItemsAccessed operations with IsThrottled=False revealed the access pattern. The threat actor targeted emails containing keywords: "payment," "invoice," "bank," "grant," and "wire." They also accessed the global address list to identify other funders and high-value targets within the organisation.
Donor Data: Confirmed Secure
The CEO's primary concern was donor information. Strand's analysis confirmed that while the threat actor accessed finance-related correspondence, they had not accessed donor management system integration emails or any bulk data exports.
Keyword analysis of accessed emails showed zero matches for donor-related terms. The threat actor appeared focused exclusively on payment fraud rather than data theft. This pattern is common in BEC operations targeting charities and non-profits.
Attack Timeline
Initial contact
- ›Email from "potential donor"
- ›Plain text, no links, questions about charity programmes
Zero indicators of compromise
Trust building
- ›Multiple email exchanges
- ›Questions about grant processes and reporting
Social engineering phase
Credential phishing
- ›"Funding guidelines" link to sites.google.com
- ›"View Document" button redirects to phishing page
Lookalike domain credential harvest
Account compromise
- ›First login from VPN egress IP
- ›MFA enrolled (authenticator app)
Location: Eastern Europe
Persistence established
- ›PerfectData Software OAuth consent
- ›Inbox rules created to hide activity
EWS.AccessAsUser.All permission granted
Mailbox reconnaissance
- ›847 emails accessed over 11 days
- ›Funder correspondence monitored
Fraud executed
- ›Fake invoice with updated bank details sent to funder
- ݣ180,000 grant payment diverted
Incident discovered
- ›Funder follows up on missing acknowledgement
- ›Charity has no record of receiving payment
Key Takeaways
- 1Multi-turn social engineering campaigns bypass traditional security training focused on suspicious links. Staff should be trained to verify unexpected requests regardless of apparent legitimacy.
- 2Google Sites and other legitimate platforms are increasingly used to host phishing content. URL reputation alone is insufficient.
- 3PerfectData Software (App ID ff8d92dc-3d82-41d6-bcbd-b9174d163620) is one of the most commonly abused OAuth applications in BEC campaigns. Organisations should monitor for this specific application and similar backup tools requesting EWS.AccessAsUser.All permissions.
- 4OAuth application consent is a critical attack vector. Microsoft recommends restricting user consent to apps from verified publishers and implementing admin consent workflows.
- 5Password resets alone do not remove OAuth application access. EWS permissions persist until explicitly revoked in Azure AD Enterprise Applications.
- 6Inbox rules are commonly used to conceal attacker activity. The MailItemsAccessed audit log operation is essential for determining the scope of mailbox compromise.