Phishing and BEC — PIPEDA, Alberta & BC PIPA

What makes this scenario different

Ransomware announces itself. Phishing and business email compromise often do not.

A ransomware attack is discovered when files are encrypted — the breach is visible, the scope is defined by the affected systems, and containment begins immediately. A phishing attack may be discovered days or weeks after the fact, when someone notices a suspicious login alert, a fraudulent email sent from a colleague's account, or money that never arrived. By then, an attacker may have had ongoing access to an email inbox for an extended period, and establishing exactly what they accessed is difficult.

This creates two challenges specific to phishing and BEC. The first is access probability: unlike ransomware where unauthorized access to your environment is confirmed, phishing may have resulted in credential theft without confirmed account login. The RROSH assessment turns on whether the attacker actually logged in — and the answer is often unresolvable. The second is scope underestimation: organizations consistently underestimate how much personal information is in a business email inbox. Client correspondence, HR communications, invoices, contracts, and documents shared by email accumulate over months or years. A compromised inbox is almost always a more serious breach than it initially appears.

This playbook covers both phishing (credential theft via fraudulent login page or malicious attachment) and business email compromise (attacker gains access to an email account and uses it for fraud or data access). For RROSH assessment and regulatory reporting purposes, both are assessed the same way.

---

Immediate containment — this scenario only

Email-specific containment must happen before anything else. A password reset alone is not sufficient — it is the most commonly misunderstood step in phishing incident response.

• Reset the compromised account password immediately — this prevents new logins using stolen credentials
• Revoke all active sessions — in Microsoft 365 (Entra ID) or Google Workspace, sign out all active sessions for the compromised account; a password reset does not terminate sessions already in progress
• Check for email forwarding rules — attackers routinely set up forwarding rules that redirect copies of incoming mail to an external address; these persist after a password reset; check in the mail admin console, not just the account settings
• Check for inbox rules — attackers may create rules to delete incoming messages, move emails to obscure folders, or hide replies; audit the full rules list
• Revoke OAuth application authorizations — phishing pages often harvest OAuth tokens rather than passwords; review and revoke all third-party application authorizations on the compromised account
• Identify connected systems — what other platforms does the compromised account have access to? Teams, SharePoint, OneDrive, cloud CRM, cloud storage — document each one and assess whether unauthorized access occurred
• Pull audit logs immediately — Microsoft 365 and Google Workspace audit logs record login events, IP addresses, and locations; pull these before they roll off the retention window; they are essential for your RROSH assessment
• Notify your cyber insurer — before undertaking extended remediation; most policies require early notification
• Check sent mail — determine whether the attacker used the account to send phishing emails to your contacts; if so, those individuals may also have been targeted

Do not treat a password reset as breach containment. The forwarding rule and OAuth authorization checks are not optional — they are the most common way an attacker maintains access after a credential reset.

---

What drives RROSH in phishing and BEC

Access probability is the central question — and it is often unresolvable.

Unlike ransomware, you may not be able to confirm whether the attacker logged into the compromised account. Microsoft 365 and Google Workspace audit logs can show login events, but logs are not always complete, retention periods vary, and some login events may not be captured. If your audit logs do not affirmatively rule out access, the High Watermark rule applies: treat access as having occurred.

The High Watermark rule for phishing and BEC: if you cannot confirm through audit logs that no login occurred following credential theft, the RROSH assessment proceeds as if access occurred. This is consistent with how the OPC and OIPC treat unresolvable access uncertainty. "We couldn't confirm whether they logged in" is not a basis for concluding no breach occurred.

Email accounts contain more personal information than account holders expect.

A business email inbox typically contains:

• Client correspondence — names, addresses, contact details, transaction histories, sometimes financial or health information
• HR communications — employee salaries, performance matters, accommodation requests, personal details
• Invoices and payment records — financial account details, billing information
• Contracts and vendor agreements — personal information of named parties
• Documents shared by email — PDFs, spreadsheets, and attachments with personal information the account holder may not remember receiving

Do not assess the inbox based on what you sent recently. Assess based on everything in the account — sent, received, drafts, and attachments — over the full period of potential access.

Malicious intent is confirmed. Phishing is always deliberate. This is a weighted RROSH factor under PIPEDA and both provincial PIPA laws.

Duration of access is a significant amplifier. A two-hour access window has different implications than a three-week period of ongoing access. Establish the full timeline: when did the attacker obtain credentials, when is the earliest evidence of login, when was the account fully secured including forwarding rules and OAuth revocations.

MFA status is the primary mitigating factor. If MFA was in place and the authentication event required a second factor the attacker did not have, credential theft does not produce account access. However, modern phishing attacks increasingly use real-time proxy techniques that capture both the password and the MFA token simultaneously. Confirm that MFA was in place and that audit logs show a failed MFA challenge — not just that MFA was enabled in policy.

---

Likely verdict range

RROSH in most cases where account access cannot be ruled out through audit logs.

BELOW_RROSH is achievable where: (a) audit logs affirmatively confirm no login occurred after credential theft, or (b) MFA was in place and a failed MFA challenge is documented, meaning credential theft did not produce account access, and (c) credentials were changed before any window for account login opened.

RROSH is the expected outcome where:

• Audit logs are unavailable, incomplete, or do not confirm non-access
• The compromised account was accessible for any confirmed period
• MFA was not in place or the MFA challenge was bypassed
• The inbox contained client records, HR information, financial data, health information, or credentials

The most common RROSH scenario: an employee enters credentials on a phishing page, the organization detects the incident two days later, audit logs show an unrecognized login from an overseas IP address, and the inbox contains years of accumulated client correspondence. This is RROSH regardless of inbox size or how long the attacker was active.

---

Scenario-specific obligations and complications

Forwarding rules survive password resets — always check. This is the most commonly overlooked containment failure in phishing incidents. An attacker who sets up a mail forwarding rule to an external address continues receiving a copy of every incoming email after the password is reset. Check the mail admin console — not just the account settings — before concluding the breach is contained. A forwarding rule discovered after individual notifications have been sent means the breach scope was understated in your original report.

The scope extends to connected systems. A compromised Microsoft 365 or Google Workspace account is not just an email account. It is a gateway to Teams, SharePoint, OneDrive, connected SaaS applications, and any system where the same credentials are used. Document all connected systems and assess access for each one. The breach scope is frequently significantly wider than the inbox alone.

Your contacts may have been targeted. If the attacker used the compromised account to send phishing emails to your clients or contacts — using your identity and your email history to make the message credible — those individuals may have been deceived or their own accounts compromised. This extends your notification obligations beyond individuals whose personal information was stored in your inbox.

BEC fraud triggers parallel obligations. If the compromise was used for wire transfer fraud, invoice fraud, or payroll diversion, you have obligations to your financial institution, your insurer, and potentially financial regulators, in addition to your privacy reporting obligations. These run in parallel — do not delay privacy reporting while the fraud investigation is ongoing.

BC PIPA applies to Alberta organizations with BC clients or employees. If any personal information accessible in the compromised inbox belongs to BC residents — clients, employees, or contractors based in BC — BC PIPA applies to that information. A third regulatory notification (OIPC BC) is required in addition to the OPC PIPEDA report and any OIPC Alberta submission.

Alberta PIPA simultaneous notification. Notify affected individuals simultaneously with your OIPC Alberta submission to qualify for the streamlined review process and a private closing letter. Do not delay individual notification to await direction from the regulator.

---

Documents you will need

For a phishing or BEC breach where RROSH is confirmed:

• Internal Incident Record — always required; begin immediately; retain for 24 months minimum
• OPC PIPEDA Breach Report — required if PIPEDA RROSH threshold is met; file as soon as feasible after RROSH determination
• OIPC Alberta PIPA Notification Form — required if Alberta PIPA applies and RROSH is met; email to breachnotice@oipc.ab.ca
• OIPC BC Notification — required if BC PIPA applies and RROSH is met; submit through the OIPC BC's breach notification process
• Individual Notification Letter — required for all affected individuals where individual notification obligation fires
• AB PIPA Individual Notice (s.19.1) — required for Alberta PIPA individual notification; attach to your OIPC Alberta submission

ClearBreach generates all of these automatically from your assessment answers.

---

Common mistakes — phishing and BEC specifically

Treating password reset as full containment. Resetting the password does not revoke active sessions, remove forwarding rules, or revoke OAuth authorizations. Organizations that reset the password and close the ticket are the ones who discover weeks later that a forwarding rule has been routing client emails to an external address the entire time.

Not pulling audit logs before they expire. Microsoft 365 audit log retention defaults vary by license tier — some plans retain logs for 90 days, some for less. Google Workspace audit logs have similar retention windows. Pull the logs immediately after the incident is identified. Once they roll off the retention window, establishing access probability becomes significantly harder.

Underestimating inbox content. The instinct is to think about what you personally sent in the last week. The correct assessment covers everything in the inbox — sent, received, drafts, and attachments — over the full period of potential access, which may span months or years. This assessment consistently produces a wider scope than the initial estimate.

Treating credential theft without confirmed login as no breach. If audit logs affirmatively confirm no login occurred, you may be below RROSH. If they are unavailable, incomplete, or silent on the question, you are in unresolvable uncertainty — and the High Watermark applies. These are different outcomes and must not be conflated.

Forgetting connected systems. The email account is the entry point. The breach scope is the full set of systems accessible from that account. An organization that reports only "one email account was compromised" without auditing SharePoint, OneDrive, or connected applications may be significantly under-reporting the actual scope.

---

MSP note

If you are an MSP and a client's email environment was compromised — whether through a direct phishing attack on the client or through your own management credentials — your obligations depend on whether you can access personal information through your administrative role.

If you hold administrative access to the client's Microsoft 365 or Google Workspace environment, execute containment immediately: session revocation, forwarding rule audit, OAuth authorization review, and audit log pull. Do this regardless of who is leading the broader breach response. These steps are time-sensitive and should not wait for client direction.

If the phishing attack targeted your MSP credentials and used your access to reach the client's environment, you are a direct party to the breach — not just a service provider. Confirm this determination before advising the client, and document it clearly in your incident record.

Confirm with your client who leads regulatory notification before acting unilaterally. Your service agreement should define this. Run the ClearBreach assessment under your MSP account for the affected client organization to establish the RROSH verdict before advising the client on their obligations.

---

Related guides

• PIPEDA Breach Reporting Requirements — full coverage of the federal RROSH threshold, OPC reporting obligations, individual notification requirements, and the 24-month record-keeping rule
• Alberta PIPA Breach Notification — Alberta-specific obligations, OIPC Alberta submission process, and the April 2024 simultaneous notification streamlined review process
• BC PIPA Breach Reporting — BC-specific obligations, voluntary regulator reporting distinction, and OIPC BC submission guidance

---

Ready to assess this breach? ClearBreach walks you through 18–23 questions and generates your assessment verdict, regulator reports, and individual notification letters automatically — in under 15 minutes. Start your assessment →