Was your corporate email account hacked? Act now, in the right order
O que fazer agora
Act immediately, from a trusted device and in this order: change the password to a long, unique one, force phishing-resistant MFA (FIDO2 or passkey), terminate all active sessions and remove forwarding rules and filters you did not create — the intruder often leaves a hidden forward to keep reading your emails even after the password change. Next, revoke connected OAuth apps, audit sent and deleted emails and warn contacts, finance and suppliers through a channel outside email. If there is any sign of financial fraud, transfers or multiple affected accounts, engage Decripte's 24/7 Incident Response through /contato: our SOC contains the attack with an SLA of up to 1 hour, preserves evidence and coordinates communication with the bank, the ANPD and the data subjects.
SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.
Sinais de alerta
- ›You received login alerts from unknown locations, IPs or devices, or 'new session started' notices that were not you.
- ›Contacts report receiving strange emails from you — charges, links, requests for money or for a change of bank details.
- ›Your inbox is 'strangely empty' or emails disappear on their own: a sign of a malicious filter deleting or archiving messages.
- ›There is an automatic forwarding rule to an external address that you did not create.
- ›Your password suddenly stopped working or you were logged out for no reason (the intruder may have changed the password).
- ›There are OAuth apps, app passwords or connected devices you do not recognize in the account's security settings.
- ›Finance or a supplier received an instruction to change the payment account of a 'bill' or 'invoice' supposedly coming from you.
Primeiros passos — o que fazer agora
- 1
Change the password from a trusted device
Use a computer or phone you know is not compromised (no malware or infostealer) to create a new, long, unique password. Never reuse the old password or variations of it. If the same password was used on other services, change it in those places too.
- 2
Force MFA, preferably FIDO2
Enable multi-factor authentication on the account and require phishing-resistant MFA (a FIDO2 security key or passkey). Avoid relying on SMS alone, which is vulnerable to SIM swap. In a corporate environment (Microsoft 365 / Google Workspace), force MFA by policy for all users, not just for the affected account.
- 3
Terminate all active sessions
Log out of all devices and revoke session tokens and cookies. In M365 use the option to revoke sessions / reset refresh tokens; in Google Workspace use 'Sign out sessions'. This drops the intruder even if they already have the password in hand, forcing a new login with MFA now enabled.
- 4
Remove malicious forwarding rules and filters
This is the classic BEC tactic: the attacker creates an automatic forward to an external address and filters that archive or delete messages (e.g., subjects with 'invoice', 'payment', 'bill'). Review and delete any rule you did not create, including filters, server rules and tenant-level forwarding.
- 5
Revoke OAuth apps and connected devices
Check third-party apps with access to the account (OAuth) and remove those you do not recognize or no longer use — a malicious app keeps access even after the password change. Also check linked devices and old app passwords, revoking anything suspicious.
- 6
Audit sent, deleted and the outbox
Look for emails the intruder sent in your name (fake charges, changing bank details, requests to suppliers) and messages they deleted to hide the trail. This defines the reach of the damage, who needs to be warned urgently and which personal data was exposed.
- 7
Warn contacts, finance and suppliers
Communicate to your team, customers and suppliers through an alternative channel (phone, WhatsApp) that your account was compromised and that payment requests or bank-detail changes sent by email should be disregarded and reconfirmed by voice using an already known number. In BEC, the loss comes from those who trust the fraudulent email.
- 8
Engage Incident Response and check for a leak
If there is any sign of fraud, transfers or compromise of several accounts, engage Decripte's 24/7 Incident Response through /contato — 1h containment SLA. In parallel, use the free Threat Management plan at https://decripte.com.br/intelligence-center to confirm whether your corporate credential leaked and is for sale on the dark web.
O que NÃO fazer
- ✕Do not just change the password and consider the case closed: without ending sessions and removing forwarding rules, the intruder stays inside the account and keeps reading your emails.
- ✕Do not rely only on SMS MFA: SIM swap lets the attacker intercept the code; prefer a phishing-resistant FIDO2 key or passkey.
- ✕Do not pay or 'confirm' any financial request that arrived by email during the suspicious period without validating by voice using an already known number — that is how the BEC scam is completed.
- ✕Do not delete logs, emails or evidence before preserving the history: this material is essential to understand the reach and for the notification to the ANPD, the bank and the police, as well as to warn data subjects and the ANPD when there is exposure of personal data with relevant risk.
- ✕Do not use the possibly infected device itself to reset the password; if there is malware or an infostealer, the new password leaks in the same instant.
- ✕Do not decide to pay a ransom on impulse if there is extortion: there is no guarantee of the return of access or data, payment may fund new attacks and there are legal implications — assess it with Incident Response and preserve the evidence before any step.
Why changing the password is not enough: the anatomy of an account takeover
Most people react to a breach by changing the password and stopping there. The problem is that an experienced attacker has already prepared to survive that gesture. On entering the account, they establish persistence: create hidden forwarding rules, generate app passwords, authorize a malicious OAuth app or simply keep an active session with a valid cookie. Any of these mechanisms keeps working after you change the password, because they no longer depend on it.
That is why the order of actions matters. Changing the password from a trusted device, forcing MFA and — crucially — terminating all active sessions drops the session-based access. Removing forwarding rules and filters cuts off the silent exfiltration. Revoking OAuth apps eliminates the delegated access. Only when all of those paths are closed does the account truly return to your hands. Skipping one of them means leaving a back door open.
BEC: when the hacked account becomes a financial-fraud weapon
Business Email Compromise (BEC) is the most expensive outcome of a corporate account takeover. With access to your mailbox, the criminal studies how you write, whom you talk to and which payments are in progress. Then, at the right moment, they send a perfectly plausible message asking a supplier, customer or your own finance team to change the bank details of an invoice or advance a payment. To hide the maneuver, they use filters that delete the replies before you see them.
That is why, during containment, auditing sent and deleted emails is as important as resetting the password. You need to know exactly what was sent in your name and warn the recipients through a channel outside email. The golden rule for your organization becomes: no change of bank details or atypical payment requested by email is executed without confirmation by voice using an already known number. This single policy blocks the overwhelming majority of BEC scams. If a Pix payment has already been made by mistake, the payer should contact the bank immediately to trigger the MED.
Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Containment, eradication and recovery in practice
The response to an account takeover follows the NIST logic. Detection and analysis is understanding how the intruder got in (leaked credential, phishing, infostealer) and how far they went. Containment is the block of immediate actions: new password, forced MFA, sessions terminated, forwarding and OAuth removed. Eradication removes the remaining persistence — app passwords, server rules, linked devices — and closes the original entry vector, for example by changing credentials reused in other systems.
Recovery returns operations to normal with heightened monitoring: you watch new logins, validate that no rule reappears and confirm that contacts were warned. The lessons learned become policy — mandatory FIDO2 MFA, blocking external automatic forwarding at the tenant, mailbox-rule alerts and periodic review of OAuth apps. When the incident involves fraud, multiple accounts or the risk of financial movement, Decripte's 24/7 Incident Response takes on that entire chain with a containment SLA of up to one hour, preserving evidence and coordinating communication with the bank, the ANPD and the data subjects.
How your credential reached the attacker — and how to find out first
Much of the time an account takeover does not start with a hacker 'breaking into' anything: it starts with a password that was already for sale. Infostealers on infected machines and leaks from other services dump enormous volumes of email-and-password pairs onto forums and the dark web. If your corporate password appeared in one of those dumps — or if you reused it on another site that leaked — the criminal only had to test it. That is why, after containing the incident, it is essential to know whether the credential circulates publicly.
Decripte's free Threat Management plan, the Decripte Intelligence Center (DIC), monitors exactly that: credential leaks, dark web exposure and your domain's reputation — with no credit card and no need for a technical team. You register your domain at https://decripte.com.br/intelligence-center and find out which of your company's emails already appeared in leaks, turning the response to this incident into continuous prevention of the next ones. It is the cheapest way to shut off the tap that feeds takeover attacks.
Obrigações legais (Brasil)
In Brazil, if the breach exposed personal data and the incident may cause relevant risk to data subjects, notification to the ANPD must occur within 3 business days from awareness of the incident, under Resolution CD/ANPD No. 15/2024, with notice also to the affected data subjects. In the case of financial fraud via Pix, engage the bank immediately for the MED (Special Return Mechanism) and file a police report — the window to attempt to block the funds is short. Preserve logs and emails as evidence from the first moment. These rules and deadlines (ANPD/LGPD) are Brazilian.
Termos importantes
- Account Takeover (ATO)
- The takeover of a legitimate account by an unauthorized third party, usually using valid credentials obtained from leaks, phishing or malware. In the corporate context, it is often the first step toward email fraud.
- BEC (Business Email Compromise)
- A scam in which the criminal, with access to or impersonating a corporate account, induces employees, customers or suppliers to make payments or change bank details. It usually uses forwarding rules and filters to hide the fraud.
- MFA / FIDO2
- Multi-factor authentication requires a second factor beyond the password. FIDO2 is the standard for phishing-resistant security keys and passkeys, which cannot be intercepted like an SMS code, being the safest way to protect the account.
- OAuth
- A protocol that lets third-party apps access your account without seeing your password, by means of a token. A malicious OAuth app authorized by the intruder keeps access to the account even after the password is changed, which is why it must be revoked.
- Malicious forwarding rule
- A setting created by the attacker to automatically forward copies of your emails to an external address, or filters that delete messages. It is the classic tactic of persistence and silent exfiltration in BEC attacks.
- MED (Special Return Mechanism)
- A Pix procedure that allows the bank to block and attempt to return funds in cases of fraud or operational failure, upon quick contact from the victim. The trigger window is short, which is why contact with the bank must be immediate.
Perguntas frequentes
I changed my email password but I still get strange login alerts. What do I do?
Changing the password does not drop whoever is already logged in with an active session. Go to the security settings and use the option to end all sessions / revoke tokens (in Microsoft 365 and Google Workspace this command exists). Then remove forwarding rules and OAuth apps you do not recognize. If the alerts persist, the attacker maintains persistence through another path and you should engage Decripte's 24/7 Incident Response through /contato.
How do I know if the hacked account created a hidden forward?
Go to your account's rules and forwarding settings (in Outlook/M365: Rules and Forwarding; in Gmail/Workspace: Forwarding and POP/IMAP and Filters). Look for any forward to an external address and filters that delete, archive or mark as read messages about invoices, payments or bills. Delete anything you did not create. This is the most common BEC mechanism and usually goes unnoticed.
The intruder sent emails in my name asking for payment. Is it over?
Not necessarily. Act fast: list the sent and deleted emails to know exactly who received what and warn each recipient by phone that the request is fraudulent. If any payment via Pix has already been made, the payer should contact the bank immediately to trigger the MED (Special Return Mechanism) and file a police report — the window to try to block the funds is short.
Do I need to notify the ANPD if my email account was hacked?
If the breach exposed personal data (of customers, employees or third parties) and the incident may cause relevant risk to data subjects, yes. Resolution CD/ANPD No. 15/2024 requires notifying the ANPD within 3 business days from awareness of the incident and also notifying the affected data subjects. Preserve the evidence and logs right away, because they support that notification and the risk assessment.
Does SMS MFA solve the account-hacking problem?
It helps, but it is the weakest link. The SMS code can be intercepted via SIM swap, in which the criminal clones your number. For an account that has already been targeted, prefer phishing-resistant MFA: a FIDO2 security key or passkey. In a corporate environment, force that standard by policy for all users, not just for the compromised account.
How do I find out if my company's password leaked on the dark web?
Use Decripte's free Threat Management plan at https://decripte.com.br/intelligence-center. You register your domain and it monitors credential leaks, dark web exposure and domain reputation, with no credit card and no technical team. That way you identify which corporate emails already appeared in leaks and change those passwords before they become a new account takeover.
Should I turn off the computer or the account to stop the attack?
Do not shut down or delete anything on impulse. Shutting down may destroy volatile evidence and does not always interrupt the access, which often comes from outside your device. The right move is to contain within the account itself — password, MFA, sessions, rules, OAuth — while preserving logs and emails. If there is suspected malware on the machine, isolate it from the network (without shutting it down) and use another trusted device for the reset.
When should I engage Decripte's Incident Response instead of solving it myself?
Engage immediately if there is any sign of financial fraud, transfers, multiple compromised accounts, exposed personal data or if the intruder reappears even after your containment actions. Decripte's 24/7 Incident Response has a containment SLA of up to 1 hour, takes on the investigation, preserves evidence and coordinates communication with the bank, the ANPD and the data subjects. The contact is through /contato.
Incidente em andamento?
Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.
Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.
