The BEC loop has three stages. Credentials get stolen — typically through AiTM phishing or stealer malware. The mailbox gets accessed — the attacker uses the harvested session cookie or password. The BEC email goes out — from the legitimate compromised mailbox, fully DMARC-aligned. The Mandiant M-Trends 2026 report puts the median time across the loop, from initial compromise to first attacker action, at twenty-two seconds (Mandiant, 2026).
A defender model that watches only the third stage — the outbound BEC email — is responding to the loop after the damage is done. The leverage is at stage two — between credential theft and outbound action — and the signals that separate those stages live in the identity provider, not the mail flow.
What identity-risk signals actually look like
Microsoft Entra ID (Azure AD) Identity Protection scores sign-ins on a risk dimension. The high-confidence signals are well-documented: impossible travel (sign-in from two cities physically impossible to traverse in the elapsed time), atypical travel (sign-in from a country the user has never accessed from), unfamiliar sign-in properties (new device, new browser, new ASN), token replay (a session cookie used after it should have been invalidated), and password spray (multiple users on the tenant authenticated from the same source within minutes).
Each signal alone is a hint. Two signals together — impossible travel plus token replay — is a high-confidence compromise indicator. Acting on it requires more than just visibility; it requires session revocation and password reset orchestrated through the identity provider's API.
Auto session-revocation as a containment primitive
When an identity signal crosses the high-confidence threshold, the right action is to revoke all active sessions for the user in the identity provider, force a password reset, and require fresh MFA on the next sign-in. The action is fast (Microsoft Graph supports it in a single API call), reversible, and minimally disruptive — the legitimate user signs in again with their fresh credentials and continues.
The "auto" in auto session-revocation is what closes the loop. Manual session-revocation, even when the SOC is alerted within minutes, is too slow against a 22-second adversary handoff. Automating the action with a 2-person bypass for safe-room scenarios (so an admin under attack can override if needed) is the practical balance.
Tenant-admin accounts and break-glass accounts should never auto-revoke — too high a blast radius. Standard user accounts can auto-revoke on consensus identity signals. The policy is per-role, not per-tenant.
Audit chain across identity and email
A regulator post-incident review wants to reconstruct: when was the credential leak detected, when did the unusual sign-in fire, what action was taken automatically, who was notified, when did the user re-authenticate cleanly. If those events live in three separate audit logs across three separate products, the reconstruction is messy and the regulator-facing evidence is weak.
A unified audit chain that records the identity-signal trigger, the auto-revocation action, the email-pipeline downstream effect (e.g. inbound mail to the affected mailbox flagged for stricter scrutiny for the next 24 hours), and the eventual all-clear, gives the regulator a single coherent timeline. The chain has to be tamper-evident — typically SHA-256 hash-chained — for the evidence to carry weight.
POPIA Section 19 and Section 22 implications
Containment is the Section 19 obligation; notification is Section 22 (Republic of South Africa, 2013). An auto-revocation action that contains a compromise within minutes reduces the scope of what has to be notified under Section 22 — the universe of accessed personal information shrinks, which tightens the notification text. Vendors that bridge identity and email and audit the bridge make both obligations easier to defend.
The Information Regulator has signalled that "as soon as reasonably possible" for Section 22 notification is shrinking — the global trend across jurisdictions is toward 72-hour and 24-hour windows for high-risk data categories. A defence posture that automates the contain-and-document loop is necessary infrastructure for those windows.
References
Mandiant (2026) M-Trends 2026 Report. Google Cloud / Mandiant. Available at: https://cloud.google.com/security/resources/m-trends (Accessed: 8 May 2026).
Republic of South Africa (2013) Protection of Personal Information Act, No. 4 of 2013. Government Gazette of the Republic of South Africa.