Mailbox Compromise Audit Checklist.
What to check first when a mailbox may be compromised: forwarding rules, filters, OAuth apps, logins, and invoice threads. Use this as a practical pre-payment checkpoint, then turn the process into a reusable workflow with the BEC Defense Pack.
Run these steps before approval.
Review forwarding rules
Make the decision visible and documented before payment leaves the business.
Review hidden filters
Make the decision visible and documented before payment leaves the business.
Inspect OAuth app grants
Make the decision visible and documented before payment leaves the business.
Check recent logins
Make the decision visible and documented before payment leaves the business.
Search deleted/sent invoice threads
Make the decision visible and documented before payment leaves the business.
Escalate immediately if any of these are true.
- Money has already moved to a new or suspicious account.
- A mailbox has unknown forwarding rules, filters, OAuth grants, or unusual logins.
- The request touches client funds, regulated data, payroll, trust accounts, taxes, or legal deadlines.
- Two internal approvers disagree or cannot verify the requester off-thread.
Keep moving through the cluster.
Get the free payment-change verification checklist.
Send it to the person who approves invoices, ACH, wires, or vendor bank changes.
Want the workflow instead of another article?
Get the Business Email Compromise Defense Pack, request a free teardown, or download the checklist and capture the process for your team.