The finance team got hit twice in three months. Both times, someone impersonating an existing vendor sent an email asking to update ACH details.

The first one was caught because the controller noticed the reply-to address looked weird. The second one almost went through, the AP person had the wire queued up before someone asked why the vendor was changing banks again.

Both emails came from lookalike domains (one letter off), referenced real invoice numbers, and sounded exactly like the vendor. Standard M365 filtering let them through. There was no formal process for verifying payment changes, people just handled it.

Defender wasn't catching these because the emails were well-crafted, no malware, no bad links, just convincing text from a lookalike domain. We deployed a dedicated phishing protection layer that sits in front of M365 and analyzes sender behavior, domain age, and impersonation patterns. It flagged the exact type of attack they'd been hit with.

Added the executive team and finance contacts to the protected senders list. Moved DMARC to reject, which broke email forwarding to a contractor's personal Gmail and took two days to sort out.

On the process side, we wrote a simple rule: any request to change banking details requires a phone call to a known number. Not the number in the email, a number from the original contract. Finance pushed back at first because it felt slow, but after we showed them how close the second attempt came, they got on board.

We also ran a focused training session with finance, not the generic "don't click links" stuff. We showed them actual BEC emails and had them spot the red flags.