This article outlines the steps to identify a compromised mailbox and secure it to prevent future risks.
If you suspect that your mailbox has been compromised, we recommend that you reset the password and then follow the steps outlined below.
Reset the Password
Determine if the mailbox has been:
Spoofed
Сompromised
Secure a Compromised mailbox
How to prevent risks in the future
Reset the Password
Symptoms of a Spoofed Mailbox
You or your contacts are receiving emails from your email address that you didn’t send. This means that a spammer is sending email with your email address in the From field by forging message headers. If you want to make sure that the messages were not sent from your mailbox, you can contact support to analyze the headers and perform message tracking .
You are receiving bounce back messages for the emails that you didn’t send. If a message gets returned to the sender, it goes to the actual holder of the From address, regardless of who sent it. To make sure that the messages were not sent from your mailbox, you can contact support to perform message tracking , as outlined in the first step. Please refer to this article for more information about spoofing and ways to prevent it.
Symptoms of a Compromised mailbox
You are receiving bounce back messages for the emails that you didn’t send. It could also mean that your email address is being spoofed. This means that a spammer is sending email with your email address in the From If a message gets returned to the sender, it goes to the actual holder of the From address, regardless of who sent it. If you want to make sure that the messages were not sent from your mailbox, you can contact support to perform message tracking.
Other users are receiving emails from you that you didn’t send. A common scenario is when the messages in question can’t be located in the Sent items folder because the hacker already deleted them. As outlined in the previous step, you can contact support to track the messages.
Some emails are deleted or moved to a different folder. This might indicate that the emails have been manually moved by the hacker or mailbox rules were created that moved the messages.
Mail forwarding has been added. Setting up email forwarding via Outlook rule is a common tactic used by hackers because it is immune to typical responses like resetting users’ passwords.
Steps to secure a Compromised mailbox
Scan all devices for viruses and malware. We recommend performing another scan after password reset because until you find and remove malware there are chances that hackers still have access to your device and may retrieve your newly reset password.
Disable any suspicious mailbox rules:
For Outlook 2013/2016/2019 navigate to Home > Rules > Manage Rules & Alerts.
For OWA 2013 click the Gear Icon and then select Options > Organize email > Inbox rules.
For OWA 2016/2019: Settings (gear icon) > Options > Mail > Inbox and sweep rules.
Alert your coworkers and contacts. If you are not the account administrator for your company, you should alert your administrator immediately.
How to prevent risks in the future
Make sure that the new password is strong enough. A strong password should be long and contain both upper case and lower case letters as well as numbers and special characters. For more information about Company password complexity standards, click here.
Enable Two-Factor Authentication (2FA). Protect your privacy with an additional layer of security.
Use antivirus software. Make sure that all your devices have anti-malware services installed and they are up to date.
