It is tempting to treat an email compromise like a lost key. Change the lock, move on, and assume the problem is solved.
In reality, modern email attacks work more like an uninvited guest who already copied the spare keys, learned your routine, and knows which doors you forget to check. That is why a password change, while important, rarely closes the story.
This matters because email is not just a mailbox anymore. It is a command centre. It connects to documents, identity, payments, suppliers, and internal systems. So when an attacker gets in, their goal is often not a quick spam run. It is quiet control.
Why Attackers Do Not Rush Anymore
A few years ago, many compromises looked noisy. You might see a flood of junk mail or a clear sign that something was wrong.
Now the playbook has evolved. Attackers are patient. They use automation. They use convincing language. They blend into normal activity. And most importantly, they try to stay.
So instead of breaking things, they often shape things.
That is the shift: from disruption to persistence.
What A Compromise Can Look Like Behind The Scenes
When a mailbox is misused, sending messages is usually the visible symptom, not the real damage. The more serious work is what happens quietly in the background.
Here are the most common patterns we see in modern Microsoft 365 and Outlook incidents.
1. Session hijacking and token based access
Even after a password is changed, an attacker may still be signed in somewhere. That is because many services rely on session tokens that remain valid until they are revoked or expire.
If the attacker has a valid session, they may not need the new password at all.
2. Mailbox rules that reroute the truth
Attackers love inbox rules because they are simple and effective. A rule can silently move messages to obscure folders, mark them as read, delete them, or forward them elsewhere.
The result is subtle. Conversations continue, but the compromised user does not see key messages. That is perfect for invoice fraud, supplier impersonation, and executive targeting.
3. Hidden forwarding and external redirection
Forwarding settings can send copies of emails to an external address. In some cases, the attacker only forwards messages that match certain keywords such as “invoice,” “bank,” “payment,” or “contract.”
This creates a steady leak of sensitive information, often for weeks.
4. Impersonation and conversation hijacking
The attacker may read emails first, learn the tone, then reply at the right moment. These “reply chain” attacks are powerful because they arrive inside an existing thread and feel legitimate.
This is a common path to business email compromise, where money is redirected or details are changed at the last minute.
5. Abuse of connected apps and delegated access
Email accounts are rarely isolated. Users grant permissions to add ins, mobile apps, and third party tools. Attackers can abuse OAuth consent or add delegated access so they can keep control without logging in like a normal user.
If this is missed, the compromise can persist even after passwords and MFA are updated.
Why password resets alone leave a gap
A password reset is still a necessary step. It is just not the finishing step.
The missing pieces are visibility and certainty.
Visibility means answering questions like:
- How did the attacker get in?
- What did they access?
- What changes did they make?
- Where else did they go?
Certainty means being able to say, with confidence, that you have removed access paths and reduced the chance of a repeat event.
Without those answers, organisations often find themselves dealing with a second compromise that looks “mysterious,” when in fact it is simply unfinished remediation.
A Structured Response That Actually Closes The Incident
So what does a complete remediation look like? Think in layers. Each layer removes a different kind of risk.
Layer 1: Contain access quickly
Start by stopping the bleeding.
Common containment steps in Microsoft 365 environments include:
- Reset the user password and require the user to reauthenticate
- Revoke active sign in sessions and refresh tokens
- Confirm multifactor authentication status and reset MFA methods if needed
- Disable suspicious sign ins or temporarily block access if risk is high
- Review recent sign in activity for impossible travel, unfamiliar devices, and unusual locations
The key idea is simple: remove current access, not just future access.
Layer 2: Remove persistence mechanisms
Next, look for the quiet changes that keep the attacker in control.
Checklist items to review:
- Inbox rules and hidden rules
- Mailbox forwarding settings and SMTP forwarding
- Delegates and mailbox permissions
- Added or modified transport rules if you have that level of access
- Connected applications and OAuth grants
- New devices registered to the account
- Any unexpected changes to recovery details or security info
This is where many “password reset only” responses fail. Persistence is not always obvious, but it is often there.
Layer 3: Validate exposure and impact
Now comes the harder question: what was seen, changed, or taken?
This step typically includes:
- Reviewing audit logs and mailbox activity
- Identifying which folders and messages were accessed
- Checking for sensitive topics discussed during the compromise window
- Looking for outbound messages that could have triggered further harm such as supplier fraud or internal phishing
- Determining whether the account was used to access SharePoint, OneDrive, Teams, or other connected resources
This is also the moment to consider external notifications. For example, if clients received fraudulent messages, they may need clear guidance quickly.
Layer 4: Harden controls to reduce repeat risk
Finally, fix the conditions that made the compromise possible.
High value improvements often include:
- Enforcing strong MFA and phishing resistant methods where appropriate
- Turning on Conditional Access policies for location, device compliance, and risk based sign ins
- Blocking legacy authentication if it is still enabled
- Tightening rules around external forwarding
- Improving alerting for suspicious mailbox rule creation and unusual sign in patterns
- Running targeted user awareness around modern phishing and consent prompts
This is the strategic step. Containment stops today’s problem. Hardening reduces tomorrow’s.
What “good” looks like after remediation
A well handled incident ends with clarity, not guesswork.
You should be able to answer:
- The likely entry method, such as phishing, credential reuse, token theft, or consent abuse
- The full timeline of access
- The changes the attacker made and proof they were removed
- The scope of data exposure, even if the answer is “no evidence found”
- The improvements made to prevent a repeat
That final point matters. Incidents are painful, but they can also be a forcing function for real security progress.
When to bring in professional incident response
If you suspect business email compromise, financial fraud, sensitive data exposure, or lateral movement into other systems, you should treat it as more than an IT ticket.
At that point, professional incident response brings two things that are hard to replicate under pressure: depth and discipline. Depth in investigation, and discipline in closing every door the attacker may have opened.
A practical next step
If you want confidence that your Microsoft 365 environment is resilient against modern email attacks, we can help with a focused security posture review can surface the common gaps that attackers exploit. That includes identity settings, sign in protections, mailbox controls, and monitoring.
