Threat Intelligence & Incident Response
How BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
The wires that go missing in dental offices almost never go missing because of malware. They go missing because someone replied to a real email thread with new bank details on a Friday afternoon, and nobody picked up the phone to check.
Once you have seen the pattern, you stop arguing about whether it could happen to your practice and start asking what is in place to catch it.
There are two doors. Either the attacker has compromised the office manager's mailbox, or they have compromised the lab or a supplier the practice pays regularly. Either way, the attacker is now sitting inside a real Microsoft 365 inbox watching real conversations.
They are not in a hurry. They are reading email, looking for one specific thing — an invoice exchange. A thread where the lab says "here is the bill for the crown work" and the office manager says "got it, paying Friday."
When that thread surfaces, the attacker replies to it. From inside the real mailbox. Against the real invoice. Same signature, same tone, same chain the office manager has been reading all week.
"Hi — quick heads up, we've changed banks for ACH and wires. Please send Friday's payment to the new account below. Old account is closed as of this week. Thanks."
The wire goes. The office manager has no reason to suspect anything. The email came from the lab's real address. It is sitting under the lab's real invoice. The signature is identical. The amount is right.
Nothing looks wrong until the real lab calls a few weeks later asking about the unpaid invoice.
Let me put it on a timeline. This is a composite — none of this is one specific practice — but every beat in it has happened in real dental offices in the last two years.
Tuesday morning. The office manager receives an email that looks like an ADA membership renewal notice. The link goes to a clean-looking login page that looks exactly like Microsoft 365. She enters her password. The page prompts her for the Microsoft Authenticator code on her phone. She approves it. The page redirects to a generic ADA landing. She moves on with her day.
What actually happened: she entered her credentials on a proxy. Behind the scenes, an adversary-in-the-middle kit forwarded the password to the real Microsoft login, captured the MFA prompt, forwarded that too, and then captured the post-authentication session cookie that Microsoft handed back. The attacker now has the cookie.
Wednesday. The attacker logs in from another country using the stolen session cookie. Because the cookie is post-MFA, Microsoft treats them as fully authenticated. No second prompt. No alert from the user's authenticator app. They then create an inbox rule that is the real fingerprint of this attack:
That last step is the cruel part. The office manager never sees the incoming invoices or the supplier replies. The attacker does.
Thursday. The attacker watches the lab invoice thread come in for a $48,000 monthly statement. The real lab sends the bill. The rule routes a copy to the attacker and hides the original. The attacker now has the thread, the invoice PDF, the wording the lab uses, and the office manager's normal payment cadence.
Friday, 2 p.m. The attacker replies to the lab thread from inside the office manager's own mailbox — or, in the other variant of this attack, from inside the lab's compromised mailbox — with new payment instructions. The office manager initiates the wire through the bank's portal. Two hours later it is gone.
The following Tuesday. The real lab calls asking when payment is coming. The office manager pulls up the thread, reads the "we changed banks" message, and the floor falls out.
MFA is not the problem. MFA is necessary. But the version of MFA most dental offices have — a push notification or a 6-digit code — does not stop adversary-in-the-middle.
Public AiTM phishing kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA have been documented widely throughout 2024 and 2025. They are sold as subscription services. They proxy the real Microsoft login page and capture the session cookie that Microsoft issues after MFA is satisfied. Once that cookie is replayed, the tenant cannot tell the attacker apart from the user.
The only MFA factors that resist this cleanly are phishing-resistant ones — FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Most dental practices are not on those yet. That does not mean you are stuck. It means MFA is one layer, and you need at least one more.
This is where managed identity threat detection earns its keep. The signal pattern in the composite above is loud if anyone is watching for it:
Managed ITDR — the Huntress identity product we deploy for dental clients — catches all four of those in minutes, not days. The mailbox-rule anomaly in particular is one of the highest-confidence detections in the entire identity-security category, because legitimate users almost never create rules that hide financial keywords from themselves.
If you only do one technical thing after reading this, get eyes on Microsoft 365 sign-in logs and mailbox rule creation events. That is the layer that matters.
Here is the uncomfortable truth: every BEC wire-fraud case I have walked through could have been stopped by a phone call. Not a tool, a phone call.
The process controls worth more than any technical layer:
If you implement the callback rule and nothing else, you eliminate most of the realistic loss path.
When a wire has already gone out and someone in the practice has figured out what happened, the next four hours decide how much money you get back and how clean the breach response is.
A compromised dental office mailbox is almost never just a mailbox. It contains treatment plans emailed to specialists, X-rays sent to insurers, pre-authorization correspondence, and patient questions answered directly. That is ePHI.
If an attacker had access to that mailbox for any length of time, you have a potential HIPAA breach in addition to the wire-fraud loss. The 60-day breach notification clock starts on the date you reasonably should have known.
This is not a reason to panic, but it is a reason to engage breach counsel and your forensics team early. A defensible HIPAA risk assessment requires the audit log evidence — which is exactly the evidence the rushed "cleanup" reflex destroys.
A wire-fraud loss in a dental practice typically pulls from two parts of the insurance stack at once:
Both should be triggered. Practices sometimes notify only one carrier and leave significant coverage on the table, or notify late and lose coverage entirely. The right answer is to call the broker the same day and let them coordinate.
The reason this article exists is that the practice owners who have lived through this almost always say the same thing afterward: it was not really a technical failure. It was a process failure compounded by a credential-theft event. Both ends needed fixing.
The credential theft is what MDR and ITDR are for — Managed Detection and Response on endpoints, Managed ITDR on Microsoft 365 identities. Those catch the AiTM signature, the foreign sign-in, the mailbox rule, and the token replay before the wire ever goes.
The process failure is what the callback verification policy, the dual-approval rule, and the Managed SAT program are for. Those catch the wire even if the credential theft slips through.
A dental practice that has both layers is a hard target. A practice that has neither is the case study in next month's incident report.
We deploy Huntress Managed ITDR — Protected and Complete tiers — for dental practices specifically because the inbox-rule and foreign-sign-in detections are the highest-leverage controls against this attack pattern. We pair it with Managed SAT focused on payment-redirect scenarios for the office manager and bookkeeper, and a short tabletop on the callback verification policy so that when the moment comes, nobody is making it up in real time.
If you are not sure where your practice stands on the controls above, that is the conversation to have before a Friday afternoon arrives with a $48,000 invoice on it.
Talk to us about Managed ITDR for your practice or review your cyber insurance readiness before renewal.
Last updated: May 14, 2026.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Phishing is usually a single bait email trying to steal a credential or drop malware. BEC is what happens after — an attacker who already has a mailbox, or has compromised a supplier's mailbox, uses real, ongoing email threads to redirect a real payment. There is no malicious attachment, no obvious lure, and often no spelling mistakes. The message is coming from a real account, against a real invoice, between people who normally email each other. That is why it gets paid.
No. MFA blocks classic password-stuffing attacks, but adversary-in-the-middle phishing kits like EvilProxy, Tycoon, NakedPages, and Mamba 2FA proxy the real Microsoft login and capture the password and the post-MFA session cookie at the same time. Once the attacker replays that cookie, your tenant treats them as fully authenticated. MFA is necessary, but it is not the finish line.
Callback verification means that any time a vendor changes bank or payment details, your office calls them back on a phone number you already had on file — from the contract or the original onboarding record — not the number in the email signature. That single control catches almost every supplier-impersonation BEC, because the attacker controls the email thread but not the supplier's phone.
Sometimes, if you move fast. The FBI's Financial Fraud Kill Chain process can recall domestic wires that meet certain criteria when reported quickly, and the threshold has been expanded in recent years. The bank and IC3.gov need to be notified the same day — ideally within hours — before the money is layered out through mule accounts.
You should. IC3.gov is the FBI's front door for BEC and wire fraud and is the entry point for the Financial Fraud Kill Chain. Reporting does not require you to be certain about everything that happened. File the initial report quickly with whatever you know, and update later.
Tell them honestly. People assume they are protected by MFA and antivirus, and when a wire goes out the office manager often feels personally responsible. The honest message is that the attacker bypassed MFA with a known technique, the missing layer was the callback policy, and the practice is fixing the process — not blaming the person who hit send.
Usually it splits across two coverages. The wire-fraud loss itself is paid under the crime or social engineering fraud sublimit, which is often capped well below the full cyber limit — typical sublimits run from $25,000 to $100,000. The forensics, mailbox investigation, and any HIPAA breach response are paid under the cyber policy. You want both notified within the carrier's required window, usually 24 to 72 hours.
Related reading
Why ransomware operators target dental practices, how attacks land on Dentrix and Eaglesoft, what a real incident week looks like, and the controls that actually break the chain.
Read articleAn anonymized engagement narrative — what an Identity Threat Detection & Response save actually looks like when an attacker tries to redirect payroll wire instructions over a long weekend.
Read articleLearn how to build a phishing training program for small business employees with realistic simulations, easy reporting, and metrics that matter.
Read article