Email Account Hacked? What to Do Immediately

by | Jul 15, 2026 | Email, Google, Phishing, Scams and Spoofs, Spam, Technical Help

A Dangerous Message From Someone I Knew

Devil phishing emailAn alarming message appeared in my Microsoft email quarantine this morning leading me to think, “Uh-oh, email account hacked.”

It claimed a longtime CharlesWorks client had shared a document through ScreenConnect.

However, the message contained what appeared to be a phishing or malware payload.

The sender’s address belonged to someone I knew and trusted.

That detail made the message more dangerous, not less dangerous.

Many people assume a familiar sender makes an email safe.

Unfortunately, criminals understand that assumption very well.

Therefore, they often attack real email accounts before targeting the account owner’s contacts.

My Experience With Suspicious Email

I started CharlesWorks on June 15, 1998.

Since then, I have examined countless spam, phishing, and malware messages.

I have also seen attackers use nearly every imaginable trick.

Some attacks use forged addresses.

Others use look-alike domain names.

However, the most convincing attacks come through real, compromised accounts.

Those messages pass many authentication tests because the actual provider sent them.

Consequently, the recipient sees a familiar name and lowers their guard.

Why I Examined the Headers

The visible sender name never tells the entire story.

Anyone can type a name into an email program.

Likewise, criminals can sometimes forge the visible sender address.

Therefore, I examined the complete internet headers.

Email headers record how a message traveled between servers.

They also show whether important authentication tests passed.

However, headers require careful reading and proper interpretation.

One passing test never guarantees that a message contains safe material.

The First Warning Signs

The subject claimed my client shared a document through ScreenConnect.

However, I had no reason to expect that document.

The message also used “undisclosed recipients” and placed me under blind carbon copy.

That arrangement often appears during mass-mailing attacks.

Additionally, Microsoft had already placed the message in quarantine.

Therefore, I never opened its link or interacted with its payload.

Instead, I examined the headers while keeping the message contained.

I Followed the Received Lines

Every receiving mail server normally adds a “Received” line.

Those lines create a trail through the mail system.

I read that trail from the oldest entry upward.

The earliest meaningful server belonged to Google.

Microsoft then received the message directly from Google’s mail infrastructure.

Therefore, an unrelated outside server had not simply forged a Gmail address.

The message had traveled through Gmail’s actual sending system.

Sender Policy Framework Passed

The headers showed that Sender Policy Framework passed.

Sender Policy Framework identifies servers authorized to send for a domain.

Google’s server had permission to send mail using the Gmail domain.

Therefore, the message did not originate from an unauthorized random mail server.

However, this result only authenticated the Gmail domain.

It did not prove that my client personally created the message.

DomainKeys Identified Mail Passed

DomainKeys Identified Mail also passed.

This system adds a cryptographic signature to outgoing email.

The receiving system checks that signature against the sending domain’s public information.

In this case, Microsoft successfully verified Gmail’s signature.

Therefore, the message remained intact after Gmail signed it.

Again, that result confirmed Gmail’s involvement.

It did not make the message harmless.

Domain-Based Authentication Passed

Domain-based Message Authentication, Reporting, and Conformance also passed.

People usually shorten that long name to DMARC.

DMARC checks whether other authentication results align with the visible sender’s domain.

Here, the Gmail identity aligned correctly.

Microsoft’s composite authentication also passed.

Therefore, the visible Gmail sender and authenticated Gmail delivery matched properly.

The Return Path Also Matched

The return path matched the client’s Gmail address.

A return path tells mail systems where delivery failures should travel.

Attackers sometimes use an unrelated return path during basic spoofing.

However, this message used the same specific Gmail address.

That detail added another important piece of evidence.

Gmail Created the Message Identifier

The message identifier ended with mail.gmail.com.

Gmail commonly creates identifiers using that format.

The headers also contained several internal Google mail fields.Email Account Hacked? What to Do Immediately

Those fields included Google message-state and Gmail feature information.

Individually, those details would not prove account misuse.

Together, however, they formed a strong and consistent pattern.

What the Authentication Results Actually Proved

The results showed that Gmail transmitted and authenticated the message.

They strongly suggested someone used the real account or authorized access.

Therefore, I believed the warning deserved immediate attention.

However, I could not prove someone had stolen the actual password.

Email headers cannot reveal every access method.

Someone could use a saved session without knowing the password.

Likewise, a connected application could send through an authorized access token.

Malware could also control an already signed-in browser.

Therefore, I treated the entire Google account as potentially compromised.

Microsoft Still Found the Message Dangerous

Authentication and safety represent two different questions.

Authentication asks whether the sending system legitimately handled the message.

Content scanning asks whether the message appears dangerous.

In this case, Gmail authentication passed.

However, Microsoft gave the message a Spam Confidence Level of 9.

Microsoft considers levels seven through nine high-confidence spam.

Microsoft also marked the threat category as anti-malware.

Therefore, the sender appeared authentic while the message itself appeared dangerous.

That combination commonly occurs after an account takeover.

I Contacted the Client Separately

I did not reply to the suspicious message.

A criminal controlling the account might receive that reply.

Instead, I contacted the client through a separate, trusted method.

Whenever possible, use a known telephone number.

You could also use an established text conversation.

However, never use contact information contained inside the suspicious message.

I explained what I had found and recommended immediate security steps.

Step One: Do Not Click Anything

Do not click links inside the suspicious message.

Also, do not open attachments or call listed telephone numbers.

An attacker may create a convincing password-reset page.

That page could steal the replacement password immediately.

Instead, open the provider’s website manually.

Use a trusted bookmark whenever possible.

Step Two: Use a Trusted Device

Secure the account from a trusted device.

Ideally, use a different computer or mobile device.

That precaution helps when the original device contains malware.

Also, update the device before starting recovery.

Install available operating system, browser, and security updates.

Then run a complete malware scan.

Step Three: Change the Password Immediately

Create a completely new password.

Do not reuse an older password.

Also, do not add one number to the old password.

Use a long and unique password instead.

A password manager can create and store strong passwords.

Google also recommends unique passwords for every account.

Never reuse the new password anywhere else.

Step Four: Review Recent Security Events

Open the Google Account security area.

Then review recent security events.

Look for unfamiliar logins, devices, password changes, or recovery changes.

Mark unauthorized activity as unrecognized.

Google provides guided steps after suspicious activity gets reported.

Review every event carefully.

Do not assume a familiar location guarantees safe activity.

Internet providers sometimes show nearby or inaccurate locations.

Step Five: Review Every Signed-In Device

Open the “Your devices” section.

Then select “Manage all devices.”

Google shows devices currently signed into the account.

It also shows recently active sessions.

Sign out every device you do not recognize.

When uncertain, sign out that session.

The legitimate owner can always sign back in later.

Step Six: Enable Two-Step Verification

Turn on two-step verification immediately.

Two-step verification adds another barrier beyond the password.

Prefer a security key, passkey, or authentication prompt.

Text messages provide some protection, but stronger methods exist.

Also, save backup recovery codes somewhere secure.

Never store those codes inside the same email account.

Step Seven: Check Recovery Information

Review the recovery telephone number.

Next, review the recovery email address.

Attackers often replace these details after gaining access.

Therefore, remove every unknown number or address.

Make sure the correct owner controls each recovery method.

Google includes recovery information within its security recommendations.

Step Eight: Remove Suspicious Connected Applications

Changing the password may not remove every connected application.

Some applications receive separate permission to access Google information.

Therefore, review all third-party connections.

Remove anything unfamiliar, unnecessary, or suspicious.

A connected application may read, create, modify, or delete account information.

When uncertain, remove the connection.

The legitimate application can request permission again later.

Step Nine: Review Gmail Forwarding

Open Gmail settings on a computer.

Then choose “See all settings.”

Review the forwarding settings carefully.

Attackers sometimes forward incoming messages to their own address.

That access lets them watch password resets and private conversations.

Remove every forwarding address the owner did not create.

Google confirms that Gmail can automatically forward messages elsewhere.

Step Ten: Inspect Every Email Filter

Open the “Filters and Blocked Addresses” section.

Review every filter listed there.

Attackers may create filters that hide security warnings.

For example, a filter could delete messages from Google automatically.

Another filter could archive password-reset notices.

Some filters can also forward selected messages elsewhere.

Therefore, delete every suspicious or unexplained filter.

Step Eleven: Check Delegated Access

Gmail allows an account owner to grant access to delegates.

A delegate can read, send, and delete email.

Therefore, review the account delegation section.

Remove any person the owner does not recognize.

Delegated access can remain dangerous even after changing the password.

Step Twelve: Review “Send Mail As”

Open the “Accounts and Import” settings.

Then review the “Send mail as” section.​_

Remove unfamiliar addresses or aliases.

Also, inspect any unexpected reply-to address.

An attacker could redirect replies without changing the visible sender.

Google provides controls for removing unauthorized sending addresses.

Step Thirteen: Examine Sent Mail

Review the Sent folder.

Look for messages the owner never created.

Also, check Trash, Spam, Drafts, and Scheduled messages.

Attackers sometimes delete sent messages after distributing their attack.

However, deleted copies may remain in Trash temporarily.

Search for repeated subjects, unfamiliar links, or mass-mailing patterns.

Step Fourteen: Review Browser Extensions

Malicious browser extensions can read page content.

Some extensions can also control Gmail sessions.

Therefore, remove unnecessary or unfamiliar browser extensions.

Do not trust an extension merely because it looks useful.

Also, check every browser installed on the device.

Then review recently installed applications.

Step Fifteen: Change Reused Passwords

The victim must change passwords on other affected accounts.

This step becomes critical when passwords were reused.

Start with banking, shopping, payment, hosting, and social accounts.

Then secure cloud storage and business services.

Use a different password for every account.

Also, enable two-step verification wherever available.

Step Sixteen: Warn Recent Contacts

Attackers often target the victim’s contact list quickly.

Therefore, warn customers, friends, relatives, and coworkers.

Tell them not to open recent unexpected attachments.

Also, tell them not to follow recent document-sharing links.

Keep the warning simple and direct.

Do not resend the dangerous link while explaining the problem.

Step Seventeen: Check Business Accounts

A compromised email account can unlock other business systems.

Attackers may request password resets through email.

They may target domain names, websites, financial services, or advertising accounts.

Therefore, review every important service connected to that email address.

Look for changed users, added administrators, or altered recovery details.

Also, inspect recent transactions and login histories.

What Recipients Should Do

Suppose you receive a suspicious message from someone you know.

Do not assume that person intentionally sent it.

Also, do not accuse them publicly.

Instead, contact them privately through another method.

Report the message as phishing.

Then leave it quarantined or delete it.

Never release a dangerous message simply because the sender looks familiar.

What to Do After Clicking

Act immediately after clicking a suspicious link.

First, disconnect from the suspicious page.

Next, change any password entered there.

Use a trusted device for that change.

Then enable two-step verification.

Also, review account sessions and connected applications.

If you downloaded a file, do not open it.

Instead, scan the device and seek qualified technical help.

What to Do After Opening an Attachment

Opening an attachment creates additional risks.

Disconnect the device from the network when malware may be running.

Then contact a trusted technical professional.

Do not continue using sensitive accounts from that device.

Also, do not copy questionable files onto other computers.

A professional may need to preserve information before cleaning the system.

Why Real-Account Phishing Works

Real-account phishing defeats one important layer of suspicion.

The message arrives from an actual friend, client, or coworker.

Authentication tests may pass.

The recipient may also recognize the sender’s photograph.

Therefore, the recipient feels safe before reading the message carefully.

Criminals exploit trust instead of defeating every security system.

Authentication Does Not Mean Harmless

Sender authentication remains extremely important.

It helps identify many forged messages.

However, authentication cannot determine the sender’s intentions.

A criminal using a real account can send fully authenticated malware.

Therefore, recipients must evaluate both identity and content.

Unexpected requests always deserve caution.

That rule applies even when every authentication test passes.

Password Changes May Not Finish the Job

Many people stop after changing the password.

Unfortunately, that action may leave other access behind.

Connected applications may retain authorization.

Active sessions may also remain available.

Forwarding rules can continue leaking messages.

Delegates and aliases may survive unnoticed.

Therefore, victims must review the entire account configuration.

Watch the Account After Recovery

Continue monitoring the account for several weeks.

Watch for unfamiliar security alerts.

Also, review sent messages and login activity.

Ask contacts whether they received additional suspicious messages.

Attackers sometimes return through access the owner missed.

Therefore, another warning deserves immediate attention.

Document What Happened

Save useful information before deleting everything.

Record the date and approximate time.

Also, record suspicious subject lines and affected recipients.

Keep the complete headers when possible.

However, never preserve dangerous attachments on everyday computers.

Good records can help technical professionals understand the incident.

Do Not Feel Embarrassed

Account takeovers happen to intelligent and careful people.

Criminals use pressure, deception, stolen information, and technical tricks.

Therefore, embarrassment only delays recovery.

Fast action matters much more than blame.

Report the problem and secure the account immediately.

Then warn everyone who may face danger.

What This Incident Taught Again

After more than 28 years in this industry, one lesson remains constant.

A familiar sender does not guarantee a safe email.

In this case, the headers strongly indicated genuine Gmail transmission.

However, Microsoft still recognized the dangerous content.

That combination strongly suggested unauthorized account use.

Therefore, contacting the client immediately made sense.

Final Email Security Advice

Treat every unexpected attachment or document link carefully.

Verify unusual requests through another communication method.

Use unique passwords and two-step verification.

Review connected applications regularly.

Also, keep computers and browsers updated.

Most importantly, never confuse successful authentication with trustworthy content.

A message can come from a real account and still cause serious harm.

CLICK HERE to find your domain name!   CLICK HERE to transfer your domain name!

Archives

Tags

24 hour (1) Accessibility (2) Accounting (1) Advertising (20) AdWare (1) Alex Johnson (2) Alignment (1) Android (2) Anti-Virus (1) Antivirus (1) Antrim Computer Repair and Service (3) APC Back-UPS (1) Appearance (2) Apple Mail (4) Apple Mobile Mail (2) Attachments (1) Audit (1) Authorized (1) Autoresponder (5) Availability (1) Backups (1) Badges (3) Bank Account (1) Bank Statement (1) Battery Backup (2) Better Business Bureau (3) Bob Hill (1) Bookkeeper (1) Branding (14) Budget (2) Business (34) Business Management (1) Catalog (1) Categories (1) Charles Oropallo (1) CharlesWorks (43) Cherryl Jensen (1) Chrome (1) CleanTalk (1) Cloud (1) Code (2) Communicating (1) Competition (1) Computer (2) Computer Cache (1) Computer Hardware (1) Computer Security (2) Constant Contact (1) Consultation (1) Contact Information (2) Content (1) Content Management (41) Content Management System (1) Copiers (1) Copy Machine (1) Coronavirus (2) Courteous (1) COVID-19 (3) Credibility (11) Credit Card (1) Credit Card Processing (1) CSS (9) Customer Service (2) Database (1) Debian (1) Design (52) Design Expertise (1) Desktop (1) Dialup (1) DirectAdmin (4) Directions (1) DIVI (7) DNS (2) Do-it-Yourself (1) Documentation (1) Domain Expiration (1) Domains (24) Domain Transfers (5) E-Commerce (1) ecommerce (1) Elementor (1) Email (74) Email Lists (5) Email Management (6) Email marketing (4) Etiquette (3) Eudora 6 (1) Exchange (1) Expanding (1) Expiring Domains (1) Facebook (2) Financial (1) Finish (1) Firefox (1) Fonts (1) Forms (2) Forms Protection (1) Fraud (2) Galaxy S4 (1) General Info (1) Gmail (1) GoDaddy (1) Google (1) Google Adwords Certified Partner (1) Google Chrome (2) Groups (1) Happy Holidays (1) Hardware Help (1) Hill Specialty Networks (1) Hosting (1) Images (1) IMAP (1) include (1) Infected (1) Information (38) insert pages (1) Internet Browsing Errors (1) Internet Consultant (1) Internet Explorer (1) Joomla! (1) Keywords (2) Laptop (1) Legibility (1) Linux (14) Logging on (1) Macintosh (1) Mail 6.0 (1) Mail 2011 (2) Make-Over (1) Malicious (1) Malware (1) Marketing (11) Matt Burke (3) MDaemon (3) MelbourneIT (2) menu (1) Merchant (1) meta (1) Microsoft (1) Microsoft Edge (1) Microsoft Hosted Exchange (5) Microsoft Live (2) Mobile Email Setup (1) Monadnock Region (1) Mozilla Firefox (2) MySQL (1) Nathan Wesley (1) Netscape (1) Netscape Messenger (1) Office Copiers (1) OfficeLive (1) Online (1) Outlook (10) Outlook 2010 (2) Outlook Express (1) PayPal (1) Pay Per Click (2) PC (1) Personal (1) Peter Harris (1) Peter Harris Creative (1) Phishing (2) PHP (3) pixel (1) plugins (1) Pop Email (1) Popularity (1) Portfolio (1) Power Grid Failure (1) PPC (1) Prevent Fraud (1) Privacy (1) Private (1) Product (6) products (1) Professional (6) Projects (2) Protect (1) Protection (1) QR codes (1) Quality (2) QuickBooks (1) Reconciliation (1) Reduce Risk (1) Register (1) Reliability (2) Renew (1) Reseller (2) Resolution (1) Restrict User Access (1) Results (1) Review (2) Risk (1) Robin Snow (1) Roundcube (1) Safe (1) Samsung (2) Scam (27) Scammer (26) Search (1) Search and Replace (1) Search Engine Optimization (SEO) (23) Security (35) Security Risk (1) Selling (1) Servers (2) Service (11) Shopping Cart (1) Site (1) SmarterMail (9) Social Engineering (1) Social Networking (1) Software (1) solar flares (1) Solutions for Today (1) Spam (1) Spam Filtering (18) Spammer (1) Spyware (2) SquirrelMail (1) SSL (9) Statistics (2) Stats (2) Stone Pond Technology (1) Storage (1) Support (1) Tablet (1) Target Market (1) Technical Help (1) Testimonials (11) The CW Corner (1) Thom Little (1) Thom Little Associates (1) Thunderbird (3) Thunderbird 10 (2) TLD (1) Topic (1) Top Level Domains (3) Transaction (2) Transfer Data (1) Transfer Funds (1) Typography (1) Update (2) Uploading (1) UPS System (2) Up to Date (1) Virtualmin (1) Virus (2) Viruses (1) Vista (1) Web (1) Web-Over (1) Web Development (112) Web Hoster (1) Web Hosting (2) Web Hosting Company (1) Webmail (8) Web Mail (1) Webmaster (10) Webmin (1) Web Presence (30) Website (121) Website Development (1) websites (2) Web Stats (1) Web terms (1) Web Writing (1) Windows 7 (2) Windows Mail (6) Windows XP (1) WooCommerce (7) WordPress (94) WordPress Updates (1) Working Remote (2) Writing (1) YouTube (1)

Protected by Security by CleanTalk and CleanTalk Anti-Spam