Short answer: The clearest signs a business mailbox has been taken over are inbox rules you didn't create (especially ones that forward or delete mail), messages in your Sent items you didn't write, contacts reporting strange emails from you, sign-in alerts from unfamiliar locations or devices, emails that go missing, and MFA prompts you didn't trigger. If you see any of these, act immediately: reset the password, sign out all sessions, confirm MFA, and remove any rogue mailbox rules — then investigate what was accessed and warn your contacts.
If you already suspect a live compromise, skip to what to do right now. Speed matters — the sooner you cut off access and pull the attacker's forwarding rules, the less damage they can do.
The seven warning signs
Mailbox rules you didn't create
The classic tell. Attackers create inbox rules that auto-forward your mail to an external address, or that move messages containing words like "invoice", "payment" or "security" straight to a folder or the deleted items — so you never see the replies to their scam. Check your rules regularly; a rule you don't recognise is a red flag on its own.
Sent or deleted items you don't recognise
Messages in your Sent folder you never wrote, or a suspiciously empty Sent or Deleted folder (attackers often clean up after themselves). Replies in threads you were never part of are another sign someone else has been using the mailbox.
Contacts report odd messages from you
Clients, suppliers or colleagues asking about an email you didn't send — a fake invoice, a "shared document" link, a request to change bank details, or an out-of-character urgent ask. Being told "did you mean to send this?" is often the first anyone notices.
Sign-ins from unfamiliar locations or devices
Microsoft 365 records sign-in activity. Logins from countries you don't operate in, at odd hours, or from devices you don't own suggest someone else has your credentials. Impossible-travel patterns — a sign-in here and another far away minutes later — are a strong indicator.
Emails going missing
Expected replies that never arrive, or threads that vanish, can mean a hidden rule is intercepting and hiding mail before you see it. If people insist they replied and you have nothing, check your rules and deleted items.
MFA prompts or password resets you didn't start
Unexpected multi-factor approval requests mean someone has your password and is trying to get past your second factor — do not approve them. Password-reset or security-info-change notifications you didn't initiate are equally serious.
New app permissions or changed security info
An unfamiliar app suddenly has access to your mailbox, or your recovery phone/email or MFA methods have been changed. Attackers add their own recovery details or consent a malicious app so they can keep access even after a password reset.
One sign is enough to check. You don't need to see all seven. Any single one — especially a rule you didn't create or an MFA prompt you didn't trigger — justifies an immediate look at your sign-in history and mailbox rules.
What to do right now
If you believe a mailbox is compromised, work through these in order. If you have IT support or a security provider, involve them immediately — but these first moves are about speed.
- Reset the password and sign out everywhere. Change the account password to something new and strong, and force sign-out of all active sessions so the attacker's existing login is cut off. A password change alone doesn't always end an active session.
- Confirm MFA is on and controlled by you. Enable MFA if it wasn't, and check the account's security info — remove any phone numbers, emails or authenticator entries you don't recognise, as attackers add their own to keep access.
- Remove rogue mailbox rules and forwarding. Delete any inbox rules and any external auto-forwarding the attacker set up. This is what stops them continuing to read and hide your mail after you've reset the password.
- Review sign-in and audit activity. Check where and when the account was accessed, and what was sent, read or downloaded, so you understand the scope. This is where having audit logging already turned on pays off.
- Revoke suspicious app consents. Remove access for any unfamiliar third-party apps connected to the account.
- Warn affected contacts. If fraudulent mail went out — especially anything about invoices or bank details — tell the recipients directly (by phone where money is involved) so they don't act on it.
- Check for reuse and spread. If the password was used elsewhere, change it there too, and check whether other accounts or mailboxes show the same signs. Treat it as an incident, not a one-mailbox glitch.
After the fire's out, close the door it came through: make sure MFA is enforced for everyone, legacy authentication is blocked, and external forwarding is restricted. Our M365 security checklist and MFA guide walk through exactly that.
Frequently asked questions
How do I know if my business email has been hacked?
Common signs are unexpected mailbox rules that move or forward mail, sent items or replies you didn't write, contacts reporting odd messages from you, sign-in alerts from unfamiliar locations, missing emails, and MFA prompts you didn't trigger. Any one warrants an immediate check of your sign-in and rules activity.
What should I do first if my email is compromised?
Reset the password and force sign-out of all sessions, confirm MFA is enabled and controlled by you, then remove any inbox forwarding or mail-handling rules the attacker created. After containment, review sign-in logs, check what was sent or accessed, and warn contacts about any fraudulent messages.
Can an email compromise spread beyond one mailbox?
Yes. Attackers use a hijacked mailbox to phish colleagues and contacts from a trusted address, and may pivot to other systems if the password was reused. Treat a confirmed compromise as an incident: contain the account, then check whether the same credentials unlocked anything else.
Want your Microsoft 365 security checked and locked down properly?
That's what SG1 Consulting does — investigate a suspected compromise, contain it, and harden your tenant so it doesn't happen again, for Australian businesses.
Talk to SG1 →