If it's happening right now
Triage order for a compromised mailbox: change the password and revoke active sessions (a password change alone doesn't kick out an attacker already logged in); switch on multi-factor authentication immediately; check the mailbox rules โ attackers plant forwarding and delete rules to watch you silently, and finding one is the confirmation; review sent items for what went out in your name; and warn anyone who received suspicious mail from you, fast, before an invoice gets paid to the wrong account. If money has moved, contact your bank's fraud line immediately โ speed matters more than embarrassment. Then take a breath, because the next section is how this never happens again.
The fix that makes it stop
Almost every business email compromise walks through two open doors: no MFA, and permissive defaults. Closing them is neither hard nor expensive. Layered email security stops the phishing mail arriving (filtering, link protection, impersonation scoring for the fake-MD and fake-supplier emails), MFA makes stolen passwords useless, and enforced DMARC stops criminals sending mail that claims to be from your domain โ protecting your customers from fraud committed in your name. We audit, configure and monitor the lot; most of what we fix is Microsoft 365 tenants left on factory settings. If email is how your business transacts, this is the least optional security you can buy.
Frequently asked questions
How did they get the password in the first place?
Usually phishing (a fake login page) or reuse โ a staff member used the same password on a breached website. MFA defeats both, which is why it's step one.
What is a mailbox rule attack?
Attackers create hidden rules that forward your mail to them or delete security warnings โ letting them watch invoices and intercept payment details silently. Checking rules is a standard part of our compromise response.
Can you stop criminals emailing our customers as us?
Yes โ enforced DMARC (built on SPF and DKIM) instructs the world's mail servers to reject mail impersonating your domain. Most small businesses don't have it; ours do.