A compromised business email account can create real pressure, especially if the account is tied to invoices, client communication, banking requests, Microsoft 365, or administrator access. The response should be calm, structured, and documented. The goal is to stop unauthorized access, understand what changed, reduce business impact, and prevent the same issue from happening again.
This guide is written for small businesses using Microsoft 365 or similar business email systems. It is not a substitute for incident response in a regulated environment, but it gives a practical starting point for the first hour and the follow-up work.
1. Secure The Account First
Start by blocking unauthorized access. Reset the password, revoke active sessions, and confirm multi-factor authentication settings. If the account has administrator privileges, treat the incident as higher risk because the attacker may have had access to more than one mailbox.
- Reset the account password
- Revoke sign-in sessions and refresh tokens
- Review MFA methods and remove suspicious methods
- Check recovery email, phone, and alternate sign-in details
- Disable the account temporarily if needed
2. Check Mailbox Rules And Forwarding
Attackers often create inbox rules that hide replies, forward messages, delete warnings, or move important conversations out of view. Check forwarding settings, inbox rules, sweep rules, delegates, shared mailbox access, and any suspicious filters.
Do not assume the account is clean just because the password was changed. If a hidden forwarding rule remains active, the attacker may continue receiving sensitive messages without signing in again.
3. Review Sign-In Activity
Look at recent sign-ins, locations, devices, browsers, and failed login patterns. In Microsoft 365, sign-in logs can help show whether the account was accessed from unusual locations or through older authentication methods.
Keep notes. Record the date and time of suspicious activity, what was changed, and what actions were taken. Documentation matters if clients, vendors, insurance, legal counsel, or leadership later ask what happened.
4. Assess Business Impact
The most important question is not only “was the account accessed?” It is “what could the attacker have done while inside?” Review sent mail, deleted mail, inbox rules, recent conversations, invoice threads, payment instructions, client files, and internal requests.
- Were fake invoices or payment changes sent?
- Were clients or vendors asked to change banking information?
- Were internal users asked to approve purchases or transfers?
- Were sensitive files downloaded or shared?
- Were other accounts reset using this mailbox?
5. Communicate Clearly
If suspicious messages were sent externally, communicate quickly and plainly. Do not over-explain or speculate. Tell affected contacts that the account was compromised, ask them not to open links or follow payment instructions from suspicious messages, and provide a safe way to confirm legitimate requests.
Internally, tell staff what to watch for. Attackers often use one compromised mailbox to target coworkers, especially finance, administration, leadership, and anyone who handles invoices or approvals.
6. Check Related Accounts And Devices
Email compromise can be a symptom, not the whole incident. Review the user’s device, browser extensions, password manager, cloud apps, and any third-party systems that use the email account for password resets. If the user reused passwords, prioritize high-value systems first.
7. Reduce Repeat Risk
After the immediate response, fix the conditions that made the compromise easier or more damaging. This may include stronger MFA, conditional access, disabling legacy authentication, better email filtering, security awareness training, admin role cleanup, and clearer payment verification procedures.
The goal is not to blame one user. Most email compromises succeed because the system allowed a small mistake to become a bigger business risk.
What This Looks Like In Practice
For small businesses that need practical risk reduction without turning security into a complicated project, to Do If a Business Email Account Is Compromised usually matters because the issue shows up in ordinary work, not only during a major project. For example, the business has MFA in some places, shared passwords in others, former staff access that may not be fully removed, and no clear process for reporting suspicious email. That kind of situation does not always require a large overhaul, but it does need clear ownership and a practical order of operations.
The useful approach is to separate what must be fixed now from what can be improved over time. A small business usually gets better results by documenting the current state, choosing the next sensible action, and avoiding tool changes that create more confusion than progress.
Questions To Ask Before You Decide
- Which accounts would create the most damage if compromised?
- Are MFA, admin access, email security, backups, and offboarding handled consistently?
- Can staff report a suspicious message or account issue quickly?
- Which security gaps are urgent, and which can be scheduled after the basics are stable?
Common Mistakes To Avoid
- Buying tools before fixing account access, MFA, email rules, backups, and offboarding.
- Treating cybersecurity as a one-time setup instead of a recurring operating habit.
- Making security advice too technical for the people who need to follow it.
A Stronger Next Step
Use this article as a starting point, then compare it against your real users, systems, data, and support expectations. If the topic connects to a current business risk or repeated frustration, write down the top three symptoms, the systems involved, and who is affected. That makes the next conversation more productive and helps avoid vague recommendations.
A Practical Next Step
If you suspect a business email account has been compromised, move in order: secure access, check mailbox changes, review sign-ins, assess business impact, communicate clearly, and then harden the environment. OnlineV can help Calgary businesses review Microsoft 365 security, email protection, MFA, mailbox rules, and recovery steps after an incident.
Practical Example
A practical security gap might be simple: former staff still have access, MFA is inconsistent, mailbox rules were never reviewed, or backups exist but nobody has tested a restore.
Quick checklist
- Enable MFA for email, Microsoft 365, remote access, and admin accounts.
- Review administrator access and remove accounts that no longer need it.
- Check email forwarding, suspicious mailbox rules, and domain records.
- Confirm backups can actually be restored before an incident happens.
What OnlineV would review
Accounts, MFA, admin roles, email security, device protection, backup readiness, offboarding habits, and the simplest incident steps staff should know.
Which risks need attention now and which tools or projects can wait.
Recommended Next Reads
Keep going with the strongest related guides
Useful Next Pages
Keep this connected to the right service
Need Help Reducing Risk?
Separate urgent security gaps from noise
OnlineV can help review MFA, admin access, email risk, devices, backups, and offboarding so the next step is clear and realistic for your business.