What to Do If Your Work Email Is Hacked: Investigation Guide

Introduction

A colleague messages you: they received a suspicious link from your email address — one you never sent. That single moment shifts the question from "was I hacked?" to something far more urgent: what happened, how long has it been going on, and what data did they access?

A compromised work email isn't a minor IT inconvenience. Attackers who gain access to a corporate inbox can:

  • Read confidential client communications without triggering alerts
  • Intercept financial instructions and redirect payments
  • Harvest credentials to connected systems and cloud accounts
  • Surveil your organization silently for days before anyone notices

The steps taken in the first hour determine how much damage gets contained and whether any evidence survives.

This guide covers how to confirm a compromise, investigate the full scope, preserve evidence correctly, and recognize when the situation requires certified forensic expertise rather than a standard internal IT response.

TL;DR

  • Warning signs include unfamiliar sent emails, unexpected password resets, and hidden inbox forwarding rules redirecting messages to an attacker
  • Don't change anything first — document login history, suspicious rules, and sent items before touching credentials
  • Six structured steps guide the investigation, from reviewing sign-in logs to identifying the original attack vector
  • Compliance deadlines are real: GDPR requires breach notification within 72 hours; HIPAA gives 60 calendar days
  • Call a forensic investigator when client data was likely exfiltrated, legal proceedings are possible, or internal IT findings are inconclusive

Warning Signs Your Work Email Has Been Hacked

Behavioral Indicators

The obvious signs are the ones most people notice first:

  • Emails in the Sent folder you didn't write
  • Password reset notifications you never requested
  • Contacts reporting strange messages or links from your account
  • Sudden inability to log in to an account you've used for years

Any one of these warrants immediate investigation. But the more dangerous indicators are the ones that don't announce themselves.

Subtle Technical Signs

Attackers with sustained access typically modify account settings to maintain that access invisibly. Look for:

  • Hidden inbox rules that auto-delete security alerts before you see them, or forward every incoming email to an external address
  • Changed recovery options — a different phone number or backup email address you don't recognize
  • Unfamiliar OAuth app permissions connected to your account, which can retain access even after a password reset
  • Filter rules with generic names like ., .., ACH, or mail — easy to overlook, commonly used to hide forwarding activity

That last category matters more than it might seem. Red Canary's 2025 Threat Detection Report found email forwarding rules present in 9.2% of monitored organizations, ranking it the sixth most prevalent attacker technique overall.

The harder truth is that a clean inbox proves nothing. According to Palo Alto Networks Unit 42 case investigations, BEC attackers maintain a median dwell time of 5 days inside a compromised inbox before acting — and fewer than 8% of incidents are discovered through technical controls. Most compromises go undetected until damage is already done.

BEC attacker dwell time statistics and email compromise detection rate infographic

Immediate Actions: What to Do in the First Hour

Document Before You Touch Anything

The most destructive mistake organizations make is remediating before preserving evidence. Changing a password, wiping inbox rules, or revoking sessions first can permanently eliminate the forensic artifacts needed to understand what happened.

Those artifacts also support any legal or regulatory proceeding that follows — and in over 50 years of compromised email investigations, Prudential Associates has seen first-hour decisions determine whether a full forensic reconstruction is even possible.

Before changing anything, capture:

  1. Full login history — IP addresses, device types, timestamps, and geographic locations
  2. Any inbox rules or forwarding addresses you didn't create
  3. Emails in the Sent folder you didn't write, including recipients and timestamps
  4. Connected third-party app permissions currently authorized on the account

Screenshots are a starting point. Exported log files with intact metadata are what hold up under legal scrutiny.

Changing Credentials — After Documentation

Once the above is preserved:

  • Use a separate, trusted device to reset the email password to a strong, unique passphrase
  • Revoke all active sessions from every device simultaneously
  • Enable MFA using an authenticator app, not SMS — NIST SP 800-63B flags PSTN-based authentication as higher-risk due to SIM-swap and interception vulnerabilities

Who to Notify Right Away

  • Your IT or security team, and your direct manager
  • The CISO or incident response team in a corporate environment
  • Contacts who received suspicious messages — they need to know not to click links or respond to financial requests that appeared to come from you

Check for Lateral Exposure

Notification is just one front. If your work email connected to other platforms, treat each as potentially compromised — credentials and session tokens sourced from your inbox can grant access far beyond email itself.

Review access logs for each of the following:

  • Cloud storage (Google Drive, SharePoint, OneDrive)
  • HR and payroll platforms
  • Financial systems or expense portals
  • Any SSO-linked business applications

Each connected system needs its own independent access review before it can be cleared.

How to Investigate a Hacked Work Email: Step-by-Step Guide

Investigation answers four questions: How did the attacker get in? When did access start? What did they read or take? Are they still present? Without all four answers, any remediation is incomplete.

6-step hacked work email investigation process flow from login review to compliance reporting

Step 1: Review Full Login and Access History

Microsoft 365: Access the Unified Audit Log through Microsoft Purview or the Search-UnifiedAuditLog PowerShell cmdlet. Standard licensing retains logs for 180 days; E5 licensing extends retention to one year. Look for atypical travel detections — a login from Maryland followed 30 minutes later by a login from Eastern Europe is a reliable sign of credential theft.

Google Workspace: Administrators access login audit events through the Admin Console. Key events to filter for include suspicious_login, login_failure spikes, recovery_email_edit, and email_forwarding_out_of_domain.

Flag any login from an unfamiliar IP, unrecognized device, or impossible geographic combination.

Step 2: Audit Inbox Rules, Forwarding Settings, and Connected Apps

In Microsoft 365, search audit records for New-InboxRule, Set-InboxRule, and Remove-InboxRule events. Use Get-InboxRule to review currently active rules. Microsoft Entra ID Protection classifies both Suspicious inbox forwarding and Suspicious inbox manipulation rules as risk detections worth immediate escalation.

In Google Workspace, filter for the email_forwarding_out_of_domain audit event.

Also audit OAuth-connected third-party apps. An attacker who obtained consent to a malicious app retains access even after you reset your password. This is one of the most persistent footholds in corporate email compromise, and one of the most frequently overlooked.

Step 3: Identify What Was Accessed or Exfiltrated

This is the step most internal responses skip. In Microsoft 365, the MailItemsAccessed audit action records which specific emails were read, accessed, or downloaded, giving you a precise record of what the attacker actually saw. Review sent email logs, shared drive download activity, and any calendar or contact data accessed during the suspicious period.

In Google Workspace, Email Log Search in the Admin Console shows message delivery status, labels applied, and deletion events — though it cannot show message contents directly.

Step 4: Trace the Attack Vector

Once you know what was accessed and when, trace how the attacker got in. Cross-reference the timestamp of the first suspicious login with:

  • Recent phishing emails the user received (and may have clicked)
  • Any credential breach alerts from dark web monitoring
  • Unusual OAuth app consent events
  • Whether the same credentials were used elsewhere and may have been exposed in a prior breach

Verizon's 2025 DBIR research found compromised credentials were an initial access vector in 22% of breaches. Credential stuffing from prior breach databases is frequently the entry point, not a sophisticated exploit.

Step 5: Preserve and Document Evidence

If this breach may lead to legal action, a regulatory filing, or an insurance claim, screenshots won't hold up. Evidence must meet forensic standards:

  • Exported log files with intact metadata (not just screen captures)
  • Stored in a secure, access-controlled location separate from the compromised environment
  • Documented with a chain of custody record: who collected what, when, under what conditions, and confirmation it was not altered

Per NIST SP 800-86, forensic procedures must support admissibility, which means preservation methodology matters as much as what's preserved.

Step 6: Report to Relevant Authorities and Assess Compliance Obligations

Depending on what data was exposed, mandatory reporting timelines apply:

Regulation Trigger Timeline
GDPR Article 33 Personal data of EU individuals 72 hours to supervisory authority
HIPAA Unsecured protected health information 60 days to individuals and HHS
California Civil Code 1798.82 Unencrypted personal information of CA residents Without unreasonable delay

GDPR HIPAA and California data breach mandatory notification timelines comparison chart

Consult legal counsel before making any public statements. If financial fraud occurred, report to the FBI's Internet Crime Complaint Center at IC3.gov.

When to Call a Professional Forensic Investigator

Internal IT teams handle credential resets competently. They are not equipped to conduct forensic investigations — and the distinction matters when evidence needs to hold up in court or before a regulator.

Scenarios That Require Expert Forensics

  • Sensitive client data, financial records, or regulated information was likely exfiltrated
  • The breach may involve an insider threat rather than an external attacker
  • Legal proceedings, regulatory enforcement, or an insurance claim are anticipated
  • The organization has no dedicated security team
  • Internal findings are inconclusive, contradictory, or incomplete
  • The attacker may have created a persistent backdoor that survived remediation

What Professional Investigators Bring

Prudential Associates' certified forensic investigators hold credentials including GCFA, GCIH, CFCE, EnCE, CISSP, GREM, GNFA, and OSCP — among 30+ professional certifications spanning digital forensics, cybersecurity, and cyber crime investigation.

The team includes former FBI special agents, former CIA officials, and former U.S. State Department officials. That background brings law enforcement investigative methodology to forensic examinations, not just technical analysis.

That combination of credentials and investigative experience translates directly to case outcomes:

  • Recover deleted email artifacts and reconstruct attacker activity timelines
  • Determine definitively whether the attacker is still present or has created persistence mechanisms
  • Collect evidence using forensically sound methods that support admissibility
  • Provide expert witness testimony at local, state, and federal levels — CEO Jared Stern alone has testified as a digital forensics expert and fact witness on more than 500 occasions

Prudential Associates' April 2026 partnership with CrowdStrike adds real-time endpoint telemetry and advanced threat intelligence to their incident response capabilities. Combined with more than five decades serving corporate clients, government agencies, and the legal community, the firm approaches every engagement with both the investigative discipline and legal awareness that sensitive cases require.

How to Prevent Future Work Email Compromises

Technical Controls Worth Deploying

  • Phishing-resistant MFA — hardware security keys or authenticator apps, not SMS. CISA explicitly recommends phishing-resistant MFA as the standard for protecting against credential theft
  • Email authentication protocols — DMARC, DKIM, and SPF block domain spoofing and impersonation. Major email security frameworks provide detailed deployment guidance for each protocol
  • Anomalous login monitoring — SIEM alerts or audit log rules that flag impossible travel, unusual sending volumes, or off-hours access before damage occurs
  • OAuth app governance — periodic review of all third-party apps with access to corporate email, with revocation of any that are unrecognized or no longer needed

The Human Layer

Verizon's 2024 DBIR found that 68% of breaches involved a non-malicious human element. No technical control eliminates this. SANS Institute data shows organizations typically see 25–30% click rates on a first phishing simulation, dropping to under 5% after 9–18 months of consistent training. That improvement represents a measurable reduction in organizational risk.

Phishing simulation click rate reduction over 18 months employee security training infographic

Simulated phishing campaigns, combined with clear reporting protocols and a defined incident response playbook, convert employees from a passive vulnerability into an active detection layer. That shift in posture also shapes what your ongoing hygiene program needs to sustain.

Ongoing Hygiene

  • Dark web credential monitoring to catch exposed passwords before attackers exploit them — Prudential Associates provides this as a continuous service, alerting organizations when corporate credentials surface on underground markets, forums, or paste sites
  • Periodic audit of connected app permissions across all corporate email accounts
  • A documented incident response playbook so employees know what to do — and what not to do — in the first hour

Frequently Asked Questions

Who should I contact if my email has been hacked?

Notify your IT or security team and direct manager immediately, then escalate to the CISO or incident response team. If client data or regulated information may have been exposed, involve legal counsel before making any external statements. Organizations without a dedicated security team should engage a professional forensic investigator promptly.

Is there a way to check if your email has been hacked?

Review your email provider's login history for unfamiliar IP addresses, devices, or geographic locations. Check inbox rules and forwarding settings for unauthorized changes. Run your email address through a breach monitoring service to see if your credentials have appeared in known data breach databases.

Can email hackers be traced?

Yes, attackers can frequently be traced through IP address logs, device fingerprints, login timestamps, and email header metadata. Sophisticated attackers use VPNs or proxies to obscure origin, but forensic investigators can correlate multiple data points across log sources to attribute an attack — and often identify the specific threat actor behind it.

What happens if a hacker gets into my work email?

The attacker may read and exfiltrate sensitive communications, impersonate you to redirect wire transfers or request gift cards, harvest credentials to linked accounts, establish persistent forwarding for ongoing surveillance, or sell account credentials on dark web markets. Containing access quickly limits scope — a forensic review can determine what was exposed and for how long.

Should I report a hacked work email to law enforcement or HR?

Report to law enforcement — including the FBI's IC3 at complaint.ic3.gov — if the breach involved financial fraud, data theft, or extortion. Notify HR when an insider threat is suspected or employee data was compromised. Legal counsel should confirm whether the breach triggers mandatory regulatory notification requirements.