Symptoms of a compromised mailbox
If any of these symptoms apply to you, take immediate steps to secure the mailbox:
- You have started receiving bounce messages for emails that you never sent.
- You notice emails that are unfamiliar.
- Your password has been changed.
- Colleagues or friends report receiving messages from you that you never sent.
- Forwarding rules have been added that you did not create.
- Your reply-to address has been changed.
- You received an email from Rackspace informing you that your mailbox has been disabled.
Risk factors
Avoiding the following factors is a small inconvenience compared to the potential damage caused by a successful mailbox compromise. If you find that any of these factors apply to you, you should take immediate steps to secure your mailbox.
- Weak or moderate strength passwords
- Delaying software updates
- Clicking links from unverified sources
- Clicking links without verifying their authenticity. Even links from what appears to be a trusted source can easily be a trick to gain access to your account.
- Accessing your account from a public computer, such as those in libraries or hotels. If a computer is used by strangers all day, you should assume that it is unsafe to access your mailbox from it.
- Accessing your account over public WiFi.
- Secure a mailbox that has been compromised
- Take the following steps to secure a mailbox that has been compromised:
Immediately change the password to the mailbox.
Locking out those who have compromised the mailbox is the top priority. The longer a bad actor has access to your account, the more damage that can be done. When crafting a new password, review Password management, and best practices. Ensuring you enable Multi-Factor Authentication will help increase the security of your mailbox.
Scan all devices for viruses and malware.
Malware and viruses can gather the information that you enter through your infected device. If you scan your devices and find an infection, you need to change your password for a second time after you have removed the malicious software. Otherwise, your mailbox information could already be in the hands of a hacker.
If the mailbox was disabled by Thexyz, follow these instructions to restore mailbox access.
Warning: Do not restore access until after you have changed the mailbox password and scanned all devices for malicious software.
Alert your colleagues and coworkers. If you are not the administrator for your company, you should alert your administrator immediately.
It is better to raise the alarm and protect everyone’s information than to risk the compromise growing beyond your mailbox.
If the return-path and originating IP of the message that led to the compromise was the source, blocklist them. Usually, the message contained a suspicious link or asked you for account information.
The View and read Thexyz Email headers article shows how to identify the return-path and originating IP of the malicious email. Educate your users about the risk factors and symptoms of a compromised mailbox. Email attacks are a constant threat that users and admins should be prepared for at all times.