Recovering from an Email Hack - Integrity Technologies
Apply Now

Recovering from an Email Hack

Email accounts get breached far more often than most businesses admit—and when it happens, the fallout is bigger than “missed messages.” Email is your control plane for invoices, payroll changes, password resets, vendor onboarding, and customer trust. In the FBI’s latest Internet Crime Report, reported cybercrime losses hit $16.6B in 2024, with Business Email Compromise (BEC) among the costliest categories—and it’s still rising in 2025. (Internet Crime Complaint Center)

Below is a current, field-tested playbook you can hand to your team today.

Tell-tale signs your business email is hacked

Access anomalies. Password suddenly rejected; repeated re-auth prompts; “impossible travel” logins in your tenant logs. Attackers increasingly “log in” rather than “break in,” often via malicious app consent that grants mailbox access without stealing the password. (securitylabs.datadoghq.com)

Message anomalies. Replies to emails you never sent; vendors asking to confirm changed banking details; out-of-office rules you didn’t create; new auto-forwarding to external domains (classic BEC staging). The FBI continues to flag BEC/EAC as one of the most financially damaging crimes. (Federal Bureau of Investigation)

Identity-layer anomalies. Pop-ups asking you to approve permissions for an unfamiliar Microsoft or Google app. This OAuth consent phishing grants attackers persistent tokens—surviving password changes and some MFA setups—unless you explicitly revoke sessions and consents. Microsoft and independent researchers highlighted significant consent-abuse campaigns in 2025 and tightened default policies. (securitylabs.datadoghq.com)

Environment anomalies. A device runs hot or erratically after a link/attachment click—possible token stealer or infostealer.

First hour: contain and stabilize

  1. Isolate the device. Disconnect Wi-Fi/VPN. If you administer Microsoft 365/Google Workspace, revoke refresh tokens and sign out of all sessions for the user; then require a fresh sign-in. Don’t just change the password. Enforce admin review for app consents to stop re-grants. (Microsoft Learn)
  2. Rotate secrets in order. Change the account password; rotate any app passwords; force MFA re-registration. Prefer phishing-resistant factors (passkeys/FIDO2 or device-bound authenticators) over SMS codes. Google’s current guidance: passkeys are phishing-resistant and simpler for users; industry adoption accelerated in 2025. (Google for Developers)
  3. Kill malicious inbox logic. Remove suspicious forwarding and transport rules. Audit delegates. Recheck after 24 hours.
  4. Quarantine and scan endpoints. Run EDR/AV scans from a clean medium. Don’t reconnect until clean.
  5. Stabilize comms. Use a secondary channel (phone/SMS/secure chat) to coordinate. Major provider outages do occur—e.g., the July 10, 2025 Outlook outage—so check the provider status page while you investigate your environment. (AP News)

Same day: scope, notify, harden

Hunt and validate scope.
Sign-in timeline: Export 30–90 days of logins. Flag new devices/locations, legacy protocol use (IMAP/POP/SMTP AUTH), and successful logins right after a consent prompt. (Microsoft Learn)
Consent inventory: List enterprise apps with delegated permissions (Mail.Read, Mail.ReadWrite, offline_access). Remove anything unrecognized. Datadog’s October 2025 “CoPhish” analysis shows adversaries wrapping legitimate Microsoft surfaces to harvest tokens—assume token abuse until proven otherwise. (securitylabs.datadoghq.com)
Mail-flow/DNS: Verify MX, SPF, DKIM, DMARC. Attackers sometimes modify DNS or set global forwarding to persist access.

Notify and protect stakeholders.
Inform finance, customer-facing teams, and leadership. Freeze payment-method changes until confirmed by voice on a known number (not from the email thread). Proactively alert clients/partners that messages in a given time window may be fraudulent, and give them a verification path.

Harden before returning to normal.
Block legacy protocols tenant-wide (no IMAP/POP/SMTP AUTH where possible). This removes a common MFA bypass path. (Microsoft Learn)
Admin-only consent. Disable user self-consent; require admin workflow for apps requesting scopes to mail/files. Microsoft’s 2025 updates emphasize this control. (Microsoft Learn)
Strengthen authentication. Default to passkeys for privileged and finance users; roll out broadly as credential managers now support them across platforms. (Google for Developers)
Brand protection. Publish SPF/DKIM and set DMARC to quarantine/reject to cut spoofing and protect deliverability.

How attacks are evolving (what changed this year)

  • Consent phishing & token theft eclipsed many password-only phish in 2025. Attackers prompt users to approve “Read your mail” on convincing pages; once tokens are granted, they quietly watch threads and time invoice changes. Microsoft and researchers documented tightening of Entra ID consent defaults in July/October 2025—but gaps remain unless you actively govern consent. (securitylabs.datadoghq.com)
  • Legacy protocol downshift. If legacy auth is enabled, attackers authenticate via IMAP/POP and bypass modern MFA. Administrators should block it globally and monitor for attempts. (Microsoft Learn)
  • Provider outages mask intrusions. High-visibility incidents—like Outlook’s July 2025 outage—can distract teams. Always check status pages, then continue compromise checks in parallel. (AP News)
  • Losses are still “staggering.” IC3’s latest report shows $16.6B in total losses for 2024; BEC remains one of the largest slices by dollars lost across the last decade. (Internet Crime Complaint Center)

A pragmatic recovery checklist (first 72 hours)

  1. Forensic posture. Preserve identity, mail, endpoint, and DNS logs. Capture volatile data if policy allows.
  2. Reset trust. Re-enroll MFA with phishing-resistant methods; rotate OAuth secrets for in-house apps; reissue device certs where applicable. (Google for Developers)
  3. Re-secure mail. Verify MX and mail-auth; remove rogue forwarding; re-scan mailboxes for new rules after 24 and 72 hours.
  4. Finance controls. Require out-of-band verification for any payment change. Hold all wire/ACH updates pending callback on a known number.
  5. External comms. Send a plain-text advisory (no links) to impacted parties: time window, what to ignore, where to verify on your website, and a phone number.
  6. Tabletop the incident. Within a week, run a short post-incident review: what signal did we miss, what rules to add (new-forward monitor, suspicious consent alerts), what to automate (session revocation on risky sign-ins).

Prevention that actually moves the needle

  • Adopt passkeys for key roles now. They’re phishing-resistant, user-friendly, and supported across platforms; Google and major ecosystems have formalized rollout playbooks this year. (Google for Developers)
  • Make consent governance boring. Admin-only consent, approval workflows, monthly reviews of granted scopes, and alerts on high-risk permissions. Microsoft’s “What’s new” guidance and identity hardening docs underline this as a default stance. (Microsoft Learn)
  • Eliminate legacy auth. Block it everywhere; if a line-of-business tool still needs it, isolate and sunset it. (Microsoft Learn)
  • Layer detections. Alerts for new forwarding rules, external auto-forward, anomalous OAuth grants, impossible travel, and spikes in failed MFA prompts.
  • Plan for outages. July’s Outlook disruption is your reminder to keep a tested “email-down” playbook and alternate channels. (AP News)

Bottom line

Most companies train for phishing; far fewer plan for account takeover—even though BEC and mailbox compromise remain multi-billion-dollar problems. Treat email like the high-value identity system it is. Combine phishing-resistant authentication, consent governance, legacy-auth blocking, and a disciplined incident-response plan. Do that, and a mailbox compromise becomes a contained security event—not an existential business crisis. (Internet Crime Complaint Center)

If you want an evidence-based health check (MFA resilience, consent inventory, legacy protocol exposure, DMARC enforcement) with a prioritized fix list, we can deliver it quickly and help you close the gaps before attackers—or the next outage—tests them.