Email & Microsoft 365

What to Do If a Business Email Account Is Hacked

Contain a compromised mailbox, secure recovery methods, remove forwarding rules, and warn affected contacts.

Contain access

  • Change the password from a trusted device and enable multi-factor authentication.
  • Sign out other sessions or revoke refresh tokens through the account security page.
  • Secure the recovery email and phone if they were changed or share the same password.

Remove persistence

  • Inspect forwarding addresses, inbox rules, delegates, connected apps, and app passwords.
  • Check Sent, Deleted, Archive, and unusual folders for attacker activity.
  • Ask an administrator to review sign-in logs when available.

Protect the business impact

  • Warn contacts if fake invoices, password links, or payment changes were sent.
  • Contact financial institutions immediately when payment information was involved.
  • Preserve evidence and record what changed before deleting suspicious messages.
When to ask for help

Stop guessing when the problem keeps coming back

Seek immediate help if the attacker still has access, administrator accounts are affected, or customers received fraudulent payment instructions.