Business Email Hacked? What to Do Now

Don't Panic, But Act Fast

A compromised business email can be serious - but most of the time, quick action limits the damage. Here's what to do right now.

Immediate Actions (Do These First)

1. Change the Password Immediately

Log into your Microsoft 365 or Google Workspace admin console and force a password reset for the affected account. If you can't access admin, use the account's password reset flow.

Use a strong, unique password - at least 16 characters.

2. Enable Multi-Factor Authentication (MFA)

If MFA wasn't enabled, enable it NOW. This is the single most effective way to prevent future compromises. Authenticator apps > SMS codes.

3. Check for Forwarding Rules

Attackers often set up email forwarding to maintain access even after you change the password.

In Microsoft 365: Outlook → Settings → Mail → Forwarding. Also check Inbox Rules for suspicious forwards.

In Google Workspace: Gmail → Settings → Forwarding and POP/IMAP. Also check Filters.

Delete any rules you don't recognise.

4. Review Recent Sent Items

Check what emails were sent from the account. Attackers often send phishing emails or invoice fraud attempts to your contacts.

If suspicious emails were sent, notify affected parties immediately.

5. Check Connected Apps

Review third-party apps that have access to the account and revoke anything suspicious.

Microsoft 365: myapps.microsoft.com → Review permissions

Google: myaccount.google.com → Security → Third-party apps

After the Immediate Crisis

Notify Your Contacts

If the attacker sent emails pretending to be you (especially anything about invoices or payment details), warn your clients and suppliers. A quick email explaining the situation protects your reputation.

Check Financial Accounts

If the compromised email is linked to banking, payment platforms, or accounting software, review those accounts for unauthorized access.

Review Other Accounts

If the same password was used elsewhere (it shouldn't be, but let's be honest...), change those passwords too.

Audit Your Tenant

Look for:

• New user accounts you didn't create
• Changed admin roles
• Modified security settings
• New mail flow rules at the tenant level

Preventing Future Compromises

1. MFA Everywhere

Every user, every account, no exceptions. This blocks 99% of account compromises.

2. Security Awareness

Most compromises start with phishing. Train your team to:

• Check sender addresses carefully
• Never click links in unexpected emails
• Call to verify any "urgent" payment requests

3. Regular Access Reviews

Quarterly: Review who has admin access, who has left the company, and whether accounts are still needed.

4. Conditional Access (Microsoft 365)

Block logins from unusual locations or require additional verification.

Need Help Right Now?

If you're dealing with a compromised account and need hands-on help, I can:

• Assist with immediate containment
• Audit your tenant for other compromises
• Set up MFA and security policies
• Train your team on prevention

The $170 call-out covers rapid response. Most compromises can be contained and secured within 1-2 hours.

Get emergency help →