An email account takeover is a cyber attack where criminals gain access to your email account or system. Access can be gained by social engineering, malware, credential stuffing, cross-site breaches or a multitude of other methods. If you are reading this response plan, the cyber-attack has likely already been successful, and you may have a compromised email account within your organization. This guide is a walk-through of how to respond and recover from an Email Account Takeover (ATO) cyber attack.

Take the following actions immediately after an Email Account Takeover:

1. Change your passwords

Any compromised email account should immediately have its password changed. The new password should be strong and unique to only this email account. Read our guide onĀ NIST recommended password policies and updates.

Using weak passwords or reusing the same passwords with multiple accounts opens the door for future ATOs. If the criminal already changed your password and locked you out of the account, immediately contact your IT department or Managed Service Provider (MSP) for recovery and password reset next steps.

2. Enable multi-factor authentication

Although you have changed the password, the criminals may have malware on your system that observed and recorded the new password. Setting up multi-factor authentication adds a layer of security that requires individuals to verify their identity with a second physical device. Multi-factor authentication is supported by a variety of cloud providers, including Office 365 and G-Suite.

3. Contact your account provider

Contact organizations you believe may have been affected by this account takeover. If you are receiving communications about wire transfers, bank account password changes, unrecognized social media accounts or vendor-specific accounts, contact the organizations immediately (by phone if possible). It is important to let them know that your email account has been compromised and any communications should not be trusted until you resolve this ATO and notify them.

4. Internal & external communication

Criminals often steal (also known as scraping) your entire contact list and any email addresses that you have previously communicated with, bundle that with a large list of other email addresses they have obtained through other attacks, and blast out malicious emails from your account. We have observed instances where an ATO occurs and within minutes thousands of malicious emails are sent from the account. These malicious emails often contain malware or sophisticated malicious social engineering links designed to cause further damage.

It is important to let all employees within your organization know that your email account has been compromised and to not open any emails (especially attachments) or click on links sent from your account. Likewise, it is important to contact all external individuals and organizations that received an email from your account after it was compromised. Criminals often cover their tracks and remove any record of their communications, thus making identifying the breadth of exposure very difficult. In this case, it is recommended to seek professional cyber security assistance.

Additional recommended steps to take after an Email Account Takeover:

1. Malware discovery

Any systems that have ever interacted with the compromised email account should be scanned for malware. Malware such as remote access tools (RAT), keyloggers and other types of password-stealing malware can make your remediation attempts futile. All systems should be thoroughly scanned for malware with professional tools. System events and logs should be reviewed for signs of tampering and unauthorized access. It is important to note that not all anti-malware tools are created equal. A professional cyber security team has access to a larger set of more effective security tools.

2. Change other account passwords

If any passwords have been reused it is important to change any other online accounts that shared the same password. It is also cheap insurance to change the passwords on all other accounts that used the compromised email address. Once an attacker gains access to an email account they can easily request a password reset to nearly all your other accounts and compromise them as well.

3. Enforce strong password policies going forward

It is recommended to enforce strong password policies within your organization. For more information about recommended password policies and procedures check out our team's blog post.

4. Disable auto-forwarding

We have observed that once cyber criminals gain access to an account, they will usually set up an auto-forwarding rule to siphon copies of all incoming and outgoing emails to an account they control. While there are some legitimate reasons where a company may wish to allow auto-forwarding of business email, the vast majority of the time the best course of action is to simply disable email auto-forwarding functionality for additional security. Read our two methods for disabling email auto-forwarding in Office 365.