How to Detect Email Account Compromise and Contain the Damage

Warning Signs of Email Compromise

Email compromise often goes undetected for weeks because attackers are subtle. They log in quietly and start reading emails, changing forwarding rules, or posing as the user to send phishing emails. The first signs are usually indirect: customers calling to say they got weird messages from your employee, IT noticing login attempts from unusual locations, or the user finding they cannot log in because their password has been changed.

Check your email logs for these red flags: login attempts from foreign countries, new forwarding rules you did not set up, newly created email rules that auto-delete messages, or changes to recovery email addresses and phone numbers.

Immediate Containment Steps

If you confirm an account was compromised, change the password immediately using a secure device. Remove any suspicious forwarding rules, delete unexpected email rules, and update recovery email addresses and phone numbers. Force-sign-out all active sessions so any attackers lose access.

Check the inbox for sensitive information that may have been read. If the attacker had access for days, they may have gathered customer lists, financial data, or vendor information. Review Sent items carefully - attackers often send phishing emails from the compromised account to contacts.

Prevention for the Future

Require multi-factor authentication (MFA) for all email accounts, especially those in accounting, HR, or management. MFA blocks attackers from logging in even if they have the password. Implement conditional access policies that flag logins from unusual locations or devices.

Schedule email security training for your team, focusing on the real-world tactics attackers use: phishing emails that look like they come from your vendor, password reset links in fake emails, and social engineering calls asking for passwords. This training becomes your best defense against compromise.