All articles Email Security

Detecting Compromised Email Accounts: Warning Signs and Response Steps

SSam wallness07 Jul 2026
Detecting Compromised Email Accounts: Warning Signs and Response Steps

A compromised email account is one of the most damaging security incidents a business can face. It's not just the email that's at risk — most business inboxes are the master key to everything else: password resets, financial notifications, internal conversations, document sharing. Once an attacker controls someone's mailbox, they can move laterally through your systems with minimal friction.

The problem is that email account compromise often goes undetected for weeks. Attackers are patient. They read email quietly, learn communication patterns, and wait for the right opportunity — a wire transfer request, an invoice substitution, a vendor payment. By the time the attack surfaces visibly, significant damage may already be done.

This guide covers the warning signs that indicate a compromised email account, how to investigate effectively, and the immediate steps to take when you find one.

Common Warning Signs of Email Account Compromise

Logins from unexpected locations or times

Most email hosting platforms and admin panels log access history including IP addresses and rough geographic locations. A user whose account normally shows logins from one city, but suddenly shows access from an unfamiliar country at 3am, is a clear signal worth investigating. Review login history in your email admin panel regularly — monthly at minimum, and immediately whenever a user reports something unusual.

Mail rules and filters the account owner didn't create

This is the most common tactic attackers use to maintain long-term access. After gaining entry to an account, they create a forwarding rule that silently copies all incoming email to an external address they control, or filters that delete or auto-mark as read messages about specific subjects — bank notifications, security alerts, anything that might reveal the compromise.

Check the rules and filters section of any suspected account. Look for rules forwarding to unknown external addresses, automatically deleting messages, or routing messages from specific senders to obscure folders. Rules the account owner doesn't recognize should be treated as evidence of compromise until proven otherwise.

Messages in Sent the user didn't write

Attackers frequently use compromised accounts to send phishing or social engineering messages to internal and external contacts. If colleagues report receiving suspicious emails "from" someone, or if Sent folder contents don't match what the account owner recalls sending, investigate immediately. Business email compromise (BEC) attacks work precisely this way — the attacker impersonates the legitimate account to request payments or sensitive data transfers from people who trust the sender.

Password reset emails nobody requested

If an account receives password reset confirmation emails for external services the user didn't initiate, someone is using that email address as a recovery account to attempt takeovers of linked services. Combined with other signals, this is a strong indicator of active compromise.

A user suddenly locked out of their own account

If an attacker changes the account password after gaining access, the legitimate user is immediately locked out. Someone who can't log in to an account they were using normally an hour ago should trigger an immediate investigation — not just a routine password reset without further review.

How to Investigate a Suspected Compromise

When you suspect an account is compromised, act quickly but gather evidence before making changes that destroy forensic information.

  1. Document before deleting. Export or screenshot the login history and active sessions. Record any suspicious mail rules before removing them — you'll want this information for incident documentation and possibly for law enforcement.
  2. Review and terminate active sessions. Most email admin panels let you view and terminate all active sessions. Document the IP addresses and timestamps, then terminate sessions you don't recognize.
  3. Examine Sent mail for the past 30 days. Look for messages to unknown external recipients, unusual file attachments, requests for payments, or any communication that could indicate impersonation of the account owner.
  4. Check connected apps and OAuth grants. Attackers sometimes authorize a malicious third-party app to access the mailbox, which survives a password reset entirely. Review OAuth connections and revoke any the account owner doesn't recognize.
  5. Notify affected parties promptly. If the compromised account sent phishing messages to colleagues or contacts, notify them immediately so they don't fall for follow-on attacks using information gathered from the breached inbox.

Immediate Remediation

Once you've documented what you can, take these steps in order:

  • Reset the account password to a strong, unique credential
  • Enable or enforce multi-factor authentication on the account — this single control prevents the vast majority of credential-based future compromises
  • Remove all unauthorized mail rules, forwarding settings, and filters
  • Revoke unrecognized OAuth app connections
  • Terminate all active sessions and require a fresh login
  • Review connected services — cloud storage, project management tools, other SaaS products — for any unauthorized access using the compromised credentials

Prevention: Making Compromise Harder to Achieve and Harder to Sustain

Detection is important, but prevention is the more valuable investment:

  • MFA on every account: A stolen password alone isn't sufficient to access an MFA-protected account. This control blocks the majority of credential-based attacks before they reach the inbox.
  • Login anomaly alerts: Configure your email admin system to flag logins from new locations or unusual times. Many providers include this natively — turn it on if it isn't already active.
  • Quarterly access reviews: Periodically review mail rules, forwarding settings, and connected app authorizations across all accounts. Unauthorized configurations are much easier to spot during a structured review than in the middle of an incident.
  • User awareness: Train your team to report suspicious emails immediately rather than waiting to see if the issue resolves itself. For a fuller look at building this kind of security culture, see our guide to email security awareness training.

Email account compromise succeeds because it's quiet. Attacks work specifically because they don't trigger obvious alarms. Regular access monitoring, fast response procedures, and strong authentication controls raise the cost of sustained access high enough that most attackers move on to easier targets.

For domain-level protections against phishing and spoofing — including DMARC, SPF, and DKIM monitoring — visit MailDog's DNS security center. If you need guidance on hardening your organization's email setup, our team is available to help.

Related articles

How Hackers Compromise Business Email Accounts and How to Stop Them
Email Security
Sam wallness

How Hackers Compromise Business Email Accounts and How to Stop Them

Business email account compromise doesn't require exotic hacking techniques — most attacks succeed through phishing, reused passwords, and social engineering. This guide covers how attackers actually get into business email accounts, what they do once inside, and what defenses actually work.

Read article