This article describes how to identify a compromised mailbox and steps to secure it and prevent future risks.

If you suspect that your mailbox was compromised, we suggest that you reset the password and then proceed with the steps outlined below.

Reset the Password

  • Account administrators may reset the password in CONTROL PANEL while end users can do that via  My Services or OWA .
    table
  • Note: user cannot change their password in the following cases:
    o Account administrator restricted password change and reset for the user or all users in the company. Contact administrator to reset your password.
    o User is linked with on-premises Active Directory. Password needs to be changed in your AD.

Symptoms of a Spoofed Mailbox

    • You or your contacts are receiving emails from your email address that you didn’t send. This means that a spammer is sending email with your email address in the From field by forging message headers. If you want to make sure that the messages were not sent from your mailbox, you can contact support to analyze the headers and perform message tracking .
    • You are receiving bounce back messages for the emails that you didn’t send. If a message gets returned to the sender, it goes to the actual holder of the From address, regardless of who sent it. To make sure that the messages were not sent from your mailbox, you can contact support to perform message tracking , as outlined in the first step.

Please refer to this article for more information about spoofing and ways to prevent it.

Symptoms of a Compromised mailbox

  • You are receiving bounce back messages for the emails that you didn’t send. It could also mean that your email address is being spoofed. This means that a spammer is sending email with your email address in the From If a message gets returned to the sender, it goes to the actual holder of the From address, regardless of who sent it. If you want to make sure that the messages were not sent from your mailbox, you can contact support to perform message tracking.
  • Other users are receiving emails from you that you didn’t send. A common scenario is when the messages in question can’t be located in the Sent items folder because the hacker already deleted them. As outlined in the previous step, you can contact support to track the messages.
  • Some emails are deleted or moved to a different folder. This might indicate that the emails have been manually moved by the hacker or mailbox rules were created that moved the messages.
  • Mail forwarding has been added. Setting up email forwarding via Outlook rule is a common tactic used by hackers because it is immune to typical responses like resetting users’ passwords.

Steps to secure a Compromised mailbox

  • Scan all devices for viruses and malware. We recommend performing another scan after password reset because until you find and remove malware there are chances that hackers still have access to your device and may retrieve your newly reset password.
  • Disable any suspicious mailbox rules:
    1. For Outlook 2010/2013/2016 navigate to Home > Rules > Manage Rules & Alerts
      outlook_rules
    2. For OWA click the Gear Icon and then select Options > orginize email
      owa_rules
  • Alert your coworkers and contacts. If you are not the account administrator for your company, you should alert your administrator immediately.
  • Get additional information. You can request Client Access Server (CAS) logs by contacting support. The logs will show the list of IPs that accessed your mailbox. Such logs can be provided for the past 7 days.
    Note: the request might be chargeable.

How to prevent risks in the future

  • Make sure that the new password is strong enough. A strong password should be long and contain both upper case and lower case letters as well as numbers and special characters. For more information about Intermedia password complexity standards, click here.
  • Use a password manager. You can try  ConnectID, password managing and single sign-on solution from Intermedia.
  • Use antivirus software. Make sure that all your devices have anti-malware services installed and they are up to date.