How Hackers Compromise Business Email Accounts and How to Stop Them

Business email account compromise is consistently one of the most financially damaging categories of cybercrime. It's not sophisticated in the way zero-day exploits are sophisticated — most successful email account compromises rely on techniques that have existed for years. They work because they target people and process gaps rather than technical vulnerabilities, and because even well-run organizations often have weak spots in their email security posture.
Understanding how attackers actually gain access to business email accounts is the most practical starting point for defending against it. Here's what the attacks look like in practice, and what you can do to stop them.
Phishing: The Most Common Entry Point
The majority of business email account compromises start with a phishing message. The attacker sends a convincing email — often appearing to come from a trusted service like Microsoft, Google, DocuSign, or a financial institution — that asks the recipient to click a link and enter their email credentials.
Modern phishing pages are nearly indistinguishable from legitimate login pages. They use HTTPS, mirror branding exactly, and many now use adversary-in-the-middle proxies that intercept and relay credentials in real time — capturing not just passwords but also multi-factor authentication codes in the same session.
The defense here is multi-layered: email filtering to block phishing attempts before they land, security training to help employees recognize warning signs, and hardware-based MFA that can't be phished at the network level.
Password Spraying and Credential Stuffing
Many organizations have employees with weak or reused passwords. Attackers exploit this through two related techniques:
- Credential stuffing: Using username and password pairs from previous data breaches and trying them against email login portals. If an employee reused a password from a breached site for their work account, the attacker simply tries that combination.
- Password spraying: Trying a small number of common passwords — often seasonal patterns like
Summer2026!or variations on the company name — against a large list of email addresses. This avoids triggering lockout policies that watch for many failed attempts against a single account.
The countermeasures: enforce strong, unique passwords for all email accounts (a password manager makes this practical), enable multi-factor authentication without exception, and monitor authentication logs for patterns that suggest automated login attempts.
Compromised Third-Party App Access
Modern business email accounts are connected to many other services. Marketing platforms, CRM tools, calendar integrations, and automation workflows all hold OAuth tokens that grant them read, send, or manage access to email. When any one of those connected applications is compromised, the attacker gains delegated access to every email account linked to it — often without any visible login event.
Reviewing what applications have access to your email is something most organizations never do on a regular basis. Audit the connected apps in your email administration panel. Revoke access to anything that's no longer actively used. Apply least privilege — tools that only need to read email shouldn't have send or delete permissions.
Unencrypted Email Connections
If email traffic is sent over unencrypted connections, an attacker on the same network can intercept credentials and message content. This is most relevant for email clients connecting to mail servers without enforcing TLS, or for legacy configurations that allow plain-text fallback.
Make sure all email client configurations use TLS for both IMAP access (port 993) and SMTP submission (port 587 with STARTTLS or port 465 with SSL). Disable any settings that allow plain-text fallback. At the server level, implementing MTA-STS and TLS-RPT enforces encrypted delivery between mail servers and eliminates the possibility of a downgrade attack.
Social Engineering Against Help Desks
Some attackers bypass technical controls entirely by calling your IT help desk. They impersonate an employee, claim to be locked out or traveling, and ask for a password reset or to have MFA removed from their account. A help desk agent under pressure to assist a "frustrated executive" can inadvertently hand over account access with the best of intentions.
The fix is procedural: require out-of-band identity verification before any account recovery actions. A video call, a pre-established identity challenge, or a callback to a verified phone number on file — any of these adds a meaningful barrier against social engineering. Document the procedure and train help desk staff to follow it without exceptions, regardless of how urgent the requester claims the situation is.
What Attackers Do Once Inside
Once an attacker has access to a business email account, they rarely announce themselves immediately. Instead, they spend time watching. They configure forwarding rules to receive copies of incoming mail. They read historical messages to understand ongoing deals, business relationships, and payment processes. Then they wait for the right moment — usually a pending wire transfer, an invoice from a vendor, or a request involving significant money — and intercept it.
This patient pattern means that early detection matters enormously. Monitoring for suspicious inbox rules (especially rules that forward mail to external addresses and delete the original), unexpected login locations, and messages sent from the compromised account are all critical detection signals.
Signs an Account Has Been Compromised
- Inbox rules the account owner didn't create, particularly forwarding rules pointing to external addresses
- Login events from unusual countries or IP addresses in authentication logs
- Sent messages the account owner doesn't remember sending
- Password change requests or MFA configuration changes not initiated by the user
- Reports from contacts about suspicious or unusual email arriving from the account
Building Defenses Into Your Email Setup
The most effective defenses combine technical controls with organizational practices:
- Enable phishing-resistant MFA on all accounts. Hardware security keys and passkeys are ideal; TOTP authenticator apps are acceptable. SMS-based MFA is better than nothing but can be bypassed.
- Audit connected applications at least quarterly. Remove anything unused or with permissions broader than its function requires.
- Monitor authentication logs. Failed login spikes, logins from unusual locations, and new inbox rules created outside business hours all warrant investigation.
- Train employees to recognize phishing and to verify unexpected financial or access requests through a secondary channel before acting.
- Implement DMARC to prevent spoofing attacks targeting your domain. An attacker who can't convincingly impersonate your domain has a significantly harder time targeting people who trust your organization.
For a complete picture of email security configuration, including authentication setup and encryption, the MailDog DNS security guide is a good starting point. Explore the MailDog blog for related resources on MFA, email encryption, and DMARC. If you need help securing your email infrastructure, the MailDog team is available to assist.


