A Dangerous Message From Someone I Knew
An alarming message appeared in my Microsoft email quarantine this morning leading me to think, “Uh-oh, email account hacked.”
It claimed a longtime CharlesWorks client had shared a document through ScreenConnect.
However, the message contained what appeared to be a phishing or malware payload.
The sender’s address belonged to someone I knew and trusted.
That detail made the message more dangerous, not less dangerous.
Many people assume a familiar sender makes an email safe.
Unfortunately, criminals understand that assumption very well.
Therefore, they often attack real email accounts before targeting the account owner’s contacts.
My Experience With Suspicious Email
I started CharlesWorks on June 15, 1998.
Since then, I have examined countless spam, phishing, and malware messages.
I have also seen attackers use nearly every imaginable trick.
Some attacks use forged addresses.
Others use look-alike domain names.
However, the most convincing attacks come through real, compromised accounts.
Those messages pass many authentication tests because the actual provider sent them.
Consequently, the recipient sees a familiar name and lowers their guard.
Why I Examined the Headers
The visible sender name never tells the entire story.
Anyone can type a name into an email program.
Likewise, criminals can sometimes forge the visible sender address.
Therefore, I examined the complete internet headers.
Email headers record how a message traveled between servers.
They also show whether important authentication tests passed.
However, headers require careful reading and proper interpretation.
One passing test never guarantees that a message contains safe material.
The First Warning Signs
The subject claimed my client shared a document through ScreenConnect.
However, I had no reason to expect that document.
The message also used “undisclosed recipients” and placed me under blind carbon copy.
That arrangement often appears during mass-mailing attacks.
Additionally, Microsoft had already placed the message in quarantine.
Therefore, I never opened its link or interacted with its payload.
Instead, I examined the headers while keeping the message contained.
I Followed the Received Lines
Every receiving mail server normally adds a “Received” line.
Those lines create a trail through the mail system.
I read that trail from the oldest entry upward.
The earliest meaningful server belonged to Google.
Microsoft then received the message directly from Google’s mail infrastructure.
Therefore, an unrelated outside server had not simply forged a Gmail address.
The message had traveled through Gmail’s actual sending system.
Sender Policy Framework Passed
The headers showed that Sender Policy Framework passed.
Sender Policy Framework identifies servers authorized to send for a domain.
Google’s server had permission to send mail using the Gmail domain.
Therefore, the message did not originate from an unauthorized random mail server.
However, this result only authenticated the Gmail domain.
It did not prove that my client personally created the message.
DomainKeys Identified Mail Passed
DomainKeys Identified Mail also passed.
This system adds a cryptographic signature to outgoing email.
The receiving system checks that signature against the sending domain’s public information.
In this case, Microsoft successfully verified Gmail’s signature.
Therefore, the message remained intact after Gmail signed it.
Again, that result confirmed Gmail’s involvement.
It did not make the message harmless.
Domain-Based Authentication Passed
Domain-based Message Authentication, Reporting, and Conformance also passed.
People usually shorten that long name to DMARC.
DMARC checks whether other authentication results align with the visible sender’s domain.
Here, the Gmail identity aligned correctly.
Microsoft’s composite authentication also passed.
Therefore, the visible Gmail sender and authenticated Gmail delivery matched properly.
The Return Path Also Matched
The return path matched the client’s Gmail address.
A return path tells mail systems where delivery failures should travel.
Attackers sometimes use an unrelated return path during basic spoofing.
However, this message used the same specific Gmail address.
That detail added another important piece of evidence.
Gmail Created the Message Identifier
The message identifier ended with mail.gmail.com.
Gmail commonly creates identifiers using that format.
The headers also contained several internal Google mail fields.Email Account Hacked? What to Do Immediately
Those fields included Google message-state and Gmail feature information.
Individually, those details would not prove account misuse.
Together, however, they formed a strong and consistent pattern.
What the Authentication Results Actually Proved
The results showed that Gmail transmitted and authenticated the message.
They strongly suggested someone used the real account or authorized access.
Therefore, I believed the warning deserved immediate attention.
However, I could not prove someone had stolen the actual password.
Email headers cannot reveal every access method.
Someone could use a saved session without knowing the password.
Likewise, a connected application could send through an authorized access token.
Malware could also control an already signed-in browser.
Therefore, I treated the entire Google account as potentially compromised.
Microsoft Still Found the Message Dangerous
Authentication and safety represent two different questions.
Authentication asks whether the sending system legitimately handled the message.
Content scanning asks whether the message appears dangerous.
In this case, Gmail authentication passed.
However, Microsoft gave the message a Spam Confidence Level of 9.
Microsoft considers levels seven through nine high-confidence spam.
Microsoft also marked the threat category as anti-malware.
Therefore, the sender appeared authentic while the message itself appeared dangerous.
That combination commonly occurs after an account takeover.
I Contacted the Client Separately
I did not reply to the suspicious message.
A criminal controlling the account might receive that reply.
Instead, I contacted the client through a separate, trusted method.
Whenever possible, use a known telephone number.
You could also use an established text conversation.
However, never use contact information contained inside the suspicious message.
I explained what I had found and recommended immediate security steps.
Step One: Do Not Click Anything
Do not click links inside the suspicious message.
Also, do not open attachments or call listed telephone numbers.
An attacker may create a convincing password-reset page.
That page could steal the replacement password immediately.
Instead, open the provider’s website manually.
Use a trusted bookmark whenever possible.
Step Two: Use a Trusted Device
Secure the account from a trusted device.
Ideally, use a different computer or mobile device.
That precaution helps when the original device contains malware.
Also, update the device before starting recovery.
Install available operating system, browser, and security updates.
Then run a complete malware scan.
Step Three: Change the Password Immediately
Create a completely new password.
Do not reuse an older password.
Also, do not add one number to the old password.
Use a long and unique password instead.
A password manager can create and store strong passwords.
Google also recommends unique passwords for every account.
Never reuse the new password anywhere else.
Step Four: Review Recent Security Events
Open the Google Account security area.
Then review recent security events.
Look for unfamiliar logins, devices, password changes, or recovery changes.
Mark unauthorized activity as unrecognized.
Google provides guided steps after suspicious activity gets reported.
Review every event carefully.
Do not assume a familiar location guarantees safe activity.
Internet providers sometimes show nearby or inaccurate locations.
Step Five: Review Every Signed-In Device
Open the “Your devices” section.
Then select “Manage all devices.”
Google shows devices currently signed into the account.
It also shows recently active sessions.
Sign out every device you do not recognize.
When uncertain, sign out that session.
The legitimate owner can always sign back in later.
Step Six: Enable Two-Step Verification
Turn on two-step verification immediately.
Two-step verification adds another barrier beyond the password.
Prefer a security key, passkey, or authentication prompt.
Text messages provide some protection, but stronger methods exist.
Also, save backup recovery codes somewhere secure.
Never store those codes inside the same email account.
Step Seven: Check Recovery Information
Review the recovery telephone number.
Next, review the recovery email address.
Attackers often replace these details after gaining access.
Therefore, remove every unknown number or address.
Make sure the correct owner controls each recovery method.
Google includes recovery information within its security recommendations.
Step Eight: Remove Suspicious Connected Applications
Changing the password may not remove every connected application.
Some applications receive separate permission to access Google information.
Therefore, review all third-party connections.
Remove anything unfamiliar, unnecessary, or suspicious.
A connected application may read, create, modify, or delete account information.
When uncertain, remove the connection.
The legitimate application can request permission again later.
Step Nine: Review Gmail Forwarding
Open Gmail settings on a computer.
Then choose “See all settings.”
Review the forwarding settings carefully.
Attackers sometimes forward incoming messages to their own address.
That access lets them watch password resets and private conversations.
Remove every forwarding address the owner did not create.
Google confirms that Gmail can automatically forward messages elsewhere.
Step Ten: Inspect Every Email Filter
Open the “Filters and Blocked Addresses” section.
Review every filter listed there.
Attackers may create filters that hide security warnings.
For example, a filter could delete messages from Google automatically.
Another filter could archive password-reset notices.
Some filters can also forward selected messages elsewhere.
Therefore, delete every suspicious or unexplained filter.
Step Eleven: Check Delegated Access
Gmail allows an account owner to grant access to delegates.
A delegate can read, send, and delete email.
Therefore, review the account delegation section.
Remove any person the owner does not recognize.
Delegated access can remain dangerous even after changing the password.
Step Twelve: Review “Send Mail As”
Open the “Accounts and Import” settings.
Then review the “Send mail as” section._
Remove unfamiliar addresses or aliases.
Also, inspect any unexpected reply-to address.
An attacker could redirect replies without changing the visible sender.
Google provides controls for removing unauthorized sending addresses.
Step Thirteen: Examine Sent Mail
Review the Sent folder.
Look for messages the owner never created.
Also, check Trash, Spam, Drafts, and Scheduled messages.
Attackers sometimes delete sent messages after distributing their attack.
However, deleted copies may remain in Trash temporarily.
Search for repeated subjects, unfamiliar links, or mass-mailing patterns.
Step Fourteen: Review Browser Extensions
Malicious browser extensions can read page content.
Some extensions can also control Gmail sessions.
Therefore, remove unnecessary or unfamiliar browser extensions.
Do not trust an extension merely because it looks useful.
Also, check every browser installed on the device.
Then review recently installed applications.
Step Fifteen: Change Reused Passwords
The victim must change passwords on other affected accounts.
This step becomes critical when passwords were reused.
Start with banking, shopping, payment, hosting, and social accounts.
Then secure cloud storage and business services.
Use a different password for every account.
Also, enable two-step verification wherever available.
Step Sixteen: Warn Recent Contacts
Attackers often target the victim’s contact list quickly.
Therefore, warn customers, friends, relatives, and coworkers.
Tell them not to open recent unexpected attachments.
Also, tell them not to follow recent document-sharing links.
Keep the warning simple and direct.
Do not resend the dangerous link while explaining the problem.
Step Seventeen: Check Business Accounts
A compromised email account can unlock other business systems.
Attackers may request password resets through email.
They may target domain names, websites, financial services, or advertising accounts.
Therefore, review every important service connected to that email address.
Look for changed users, added administrators, or altered recovery details.
Also, inspect recent transactions and login histories.
What Recipients Should Do
Suppose you receive a suspicious message from someone you know.
Do not assume that person intentionally sent it.
Also, do not accuse them publicly.
Instead, contact them privately through another method.
Report the message as phishing.
Then leave it quarantined or delete it.
Never release a dangerous message simply because the sender looks familiar.
What to Do After Clicking
Act immediately after clicking a suspicious link.
First, disconnect from the suspicious page.
Next, change any password entered there.
Use a trusted device for that change.
Then enable two-step verification.
Also, review account sessions and connected applications.
If you downloaded a file, do not open it.
Instead, scan the device and seek qualified technical help.
What to Do After Opening an Attachment
Opening an attachment creates additional risks.
Disconnect the device from the network when malware may be running.
Then contact a trusted technical professional.
Do not continue using sensitive accounts from that device.
Also, do not copy questionable files onto other computers.
A professional may need to preserve information before cleaning the system.
Why Real-Account Phishing Works
Real-account phishing defeats one important layer of suspicion.
The message arrives from an actual friend, client, or coworker.
Authentication tests may pass.
The recipient may also recognize the sender’s photograph.
Therefore, the recipient feels safe before reading the message carefully.
Criminals exploit trust instead of defeating every security system.
Authentication Does Not Mean Harmless
Sender authentication remains extremely important.
It helps identify many forged messages.
However, authentication cannot determine the sender’s intentions.
A criminal using a real account can send fully authenticated malware.
Therefore, recipients must evaluate both identity and content.
Unexpected requests always deserve caution.
That rule applies even when every authentication test passes.
Password Changes May Not Finish the Job
Many people stop after changing the password.
Unfortunately, that action may leave other access behind.
Connected applications may retain authorization.
Active sessions may also remain available.
Forwarding rules can continue leaking messages.
Delegates and aliases may survive unnoticed.
Therefore, victims must review the entire account configuration.
Watch the Account After Recovery
Continue monitoring the account for several weeks.
Watch for unfamiliar security alerts.
Also, review sent messages and login activity.
Ask contacts whether they received additional suspicious messages.
Attackers sometimes return through access the owner missed.
Therefore, another warning deserves immediate attention.
Document What Happened
Save useful information before deleting everything.
Record the date and approximate time.
Also, record suspicious subject lines and affected recipients.
Keep the complete headers when possible.
However, never preserve dangerous attachments on everyday computers.
Good records can help technical professionals understand the incident.
Do Not Feel Embarrassed
Account takeovers happen to intelligent and careful people.
Criminals use pressure, deception, stolen information, and technical tricks.
Therefore, embarrassment only delays recovery.
Fast action matters much more than blame.
Report the problem and secure the account immediately.
Then warn everyone who may face danger.
What This Incident Taught Again
After more than 28 years in this industry, one lesson remains constant.
A familiar sender does not guarantee a safe email.
In this case, the headers strongly indicated genuine Gmail transmission.
However, Microsoft still recognized the dangerous content.
That combination strongly suggested unauthorized account use.
Therefore, contacting the client immediately made sense.
Final Email Security Advice
Treat every unexpected attachment or document link carefully.
Verify unusual requests through another communication method.
Use unique passwords and two-step verification.
Review connected applications regularly.
Also, keep computers and browsers updated.
Most importantly, never confuse successful authentication with trustworthy content.
A message can come from a real account and still cause serious harm.


