Emails with BCC - Who / To Whom / Why ?

BCC is interesting, it a hard "thing" to define - is it good, bad .. or just ugly ?

Some define it as a company cultural behaviour

Some define it as a legitimate method for report

Me ... i am Cyber Security specialist, i need to know the following:

Who is sending those BCC emails

To Whom they are sent

and most important: Why ?

Does it have a business need or its a risk ?

BCC is very risky when thinking about "Insider Threats", many companies still have not implemented any data classification tool and their DLP are too weak to actually stop an Insider Threat.

from experience BCC sounds very "simple" but actually from a psychological aspect it is still used in a lot of cases when "you should hide something"

a good example is sending a big email with a lot of recipients + adding your @gmail.com just for the "fun of it"

as a Cyber Security solution provider you need to have visibility, we have created this dashboard via 365 Exchange Online & PowerBI.

it has the instant ability to focus on the top sender , top recipients , see the subject and then if required drill down to the message ID and then use E-Discovery tools to "get the full picture"

Eli Migdal