Email Account Compromise: What It Is and How It Works

Email account compromise happens when an attacker gains unauthorized access to a legitimate mailbox and starts using it as a trusted platform for surveillance, fraud, or further attack activity. That makes it different from a simple spam problem or a one-off suspicious email. 

Once a real business email account is compromised, the attacker inherits trust, message history, and communication context that can be used against the organization. For enterprise teams, email compromise is often the start of a much broader incident.

What Is Email Account Compromise (EAC)?

Email account compromise is unauthorized access to a legitimate email account. Instead of pretending to be the user from the outside, the attacker is inside the real mailbox and using the trust that comes with it.

Attackers can gain access to email accounts in several ways. Some methods rely on deception, while others take advantage of weak credentials or weak account protections. Some common methods include:

• Phishing emails: Trick an employee into entering login credentials into a fake page.
• Malicious approval prompts: Ask the user to approve attacker access through a fake or unexpected request.
• Stolen credentials: Reuse usernames and passwords obtained through prior breaches or criminal marketplaces.
• Password spraying: Test common passwords across many accounts to find weak access points.
• Malware: Capture credentials, session data, or mailbox access through an infected system.
• Reused passwords: Make it easier for attackers to access an email account using credentials exposed elsewhere.
• Weak password reset or recovery flows: Give attackers another path into the mailbox when recovery steps are not well protected.

Why a real mailbox is so dangerous

The danger increases once the attacker is inside a real mailbox. At that point, they are no longer working with a fake identity but with a legitimate account that already carries trust and business context. A real mailbox already includes sender reputation, internal context, and a record of prior conversations. Messages sent from that account are more likely to be opened, trusted, and acted on.

Why EAC matters to enterprises

For enterprise organizations, email account compromise is not just a mailbox issue. It can quickly become a broader fraud, trust, and operational risk across the business.

It can lead to invoice manipulation, exposure of sensitive information, internal phishing, financial fraud, or a wider cyber threat affecting other systems and users. The real risk comes from the legitimacy of the mailbox itself, since a compromised account can look normal at first glance.

How Does Email Account Compromise Work?

Email account compromise usually starts with access theft, but the path to compromise can vary. Some attacks are direct and fast. Others are quieter and unfold over time.

Phishing

A phishing attack is one of the most common paths to compromise. The attacker sends a convincing message designed to steal login credentials, trigger a malicious sign-in approval, or direct the user to a fake login page. Because phishing relies on trust and urgency, it remains one of the most effective ways for cybercriminals to get into a business email environment.

Supply chain hijacking

Attackers may also gain access through a compromised vendor, partner, or third-party system. When a trusted external relationship is already in place, malicious activity can blend into existing business email communications. This is one reason supply chain abuse can be difficult to spot early.

Credential theft

Compromise can also happen through credentials obtained elsewhere. Attackers may reuse usernames and passwords collected from prior breaches, infostealers, or underground markets. If a user reuses passwords across multiple services, the risk increases significantly.

Password spraying

In password spraying, the attacker tests common passwords across many accounts instead of targeting one account with many guesses. This helps avoid lockouts while still identifying weak access points. It is especially effective when organizations do not enforce a strong password policy.

Malware

Malware on an infected endpoint can capture credentials, session tokens, or other information that supports mailbox access. In some cases, attackers do not even need the password again if they can hijack an active session.

Weak recovery flows

Some attackers focus on password reset and recovery mechanisms instead of the mailbox directly. If recovery questions, reset approvals, or identity checks are weak, the account can be taken over without a traditional phishing path.

Gaining access

After they gain access, attackers often spend time observing before acting. They may monitor conversations, review payment threads, search for confidential information, or study how approvals happen. They may also create or modify inbox rules, change forwarding settings, hide missing emails, or send messages from the account.

Because the attacker is using a real mailbox, fraudulent outreach can look much more convincing. A fraudulent email sent from a compromised mailbox may reference a real bank account, an actual financial transaction, or an existing vendor thread. That is why each attack can quickly escalate from quiet surveillance into active fraud.

EAC vs BEC

Email account compromise and business email compromise are closely related, but they are not interchangeable. Keeping the distinction clear helps prevent overlap with broader BEC scams and helps defenders focus on the right controls.

EAC refers to the compromise of a real mailbox. Business email compromise attack activity is broader. It includes deceptive business emails used for fraud, even when the attacker never gains access to a real mailbox. A BEC email might come from spoofing, impersonation, or a lookalike domain. EAC, by contrast, begins with real mailbox access.

Here’s how they differ:

Attackers do not always need a compromised mailbox to run CEO fraud or payment deception. BEC scammers can still succeed through spoofed messages. But when EAC is involved, the attacker has far more context and trust to work with.

What Are the Signs of Email Account Compromise?

Email account compromise can be difficult to detect early because the activity often comes from a real account with real history. Traditional blocking alone is not always enough, so security teams often need stronger visibility into behavior and communication context.

Unexpected password resets

Unplanned reset requests may indicate an attacker trying to take control of the mailbox or interfere with recovery steps. Even if access is not fully established yet, this can be an early signal that the account is being targeted.

Suspicious sent messages

The user may discover messages they never sent, including requests tied to payroll changes, vendor payments, or bank account updates. Because the messages come from a legitimate email account, recipients may be more likely to trust them.

Unfamiliar inbox rules

Attackers often create rules that hide, redirect, or silently monitor messages. This helps them stay inside the account longer while reducing the chance that the user notices something is wrong.

Abnormal login locations

Access from locations that do not fit the user’s usual pattern can be a strong indicator of compromise. On its own this may not confirm malicious activity, but it becomes more concerning when paired with other unusual behavior.

Access from unusual devices

A sign-in from a device the user has never used may point to unauthorized access. This is especially important when the device does not match the user’s normal work habits or known endpoints.

Mailbox forwarding changes

Attackers may set up forwarding to capture copies of sensitive messages or maintain visibility if their direct access is lost. These changes can allow them to keep monitoring the mailbox even after the initial compromise is discovered.

Deleted or missing messages

Missing emails or deleted conversations can indicate an attempt to conceal fraudulent activity or remove evidence. In some cases, attackers delete messages to disrupt visibility between the user and the security team.

Unusual external conversations

Security teams may find suspicious outreach to customers, vendors, or partners coming from the compromised mailbox. That can include payment redirection, requests for personal information, or attempts to continue a broader phishing campaign.

The challenge is that a compromised email account still looks legitimate on the surface. It uses the right sender, the right history, and the right business context, which is why defenders often need more than sender blocking.

How Organizations Can Defend Against Email Account Compromise

Defending against email account compromise requires layered business email protection. One control alone will not solve the problem because attackers can target people, credentials, sessions, and workflows in different ways.

Strengthen access and authentication

Reducing email account compromise starts with making stolen credentials less useful. Multi factor authentication adds another barrier, while stronger password controls help reduce the risk of weak or reused credentials.

Organizations should also secure password reset and account recovery flows, since attackers may target those when direct login attempts fail. Login anomaly monitoring adds another layer by flagging unusual access from unfamiliar locations, devices, or behavior patterns.

Improve visibility, response, and user-facing protection

Once access is gained, the next challenge is spotting misuse before it turns into wider fraud or data leak. Attackers often rely on normal-looking mailbox activity to stay unnoticed while they expand their reach.

• Suspicious-message detection: Helps identify fraudulent or abnormal email activity earlier.
• Mailbox monitoring: Tracks changes and behavior that may indicate compromise or misuse.
• Phishing-resistant controls: Reduce the chance that phishing leads to mailbox access.

• Faster response actions: Session termination or forced resets can help contain abuse quickly once compromise is confirmed.

Mimecast supports this kind of defense by helping organizations improve visibility into anomalous email behavior, impersonation risk, and human-targeted threats. That matters because strong business email protection depends not only on blocking suspicious email, but also on recognizing when a real mailbox starts behaving in suspicious ways.

The Role of Email Account Compromise in Enterprise Security

Email account compromise is an important threat to consider because it can quickly become more than a mailbox issue. A single compromised mailbox can expose sensitive information, create trust-based fraud, trigger internal phishing, or support wider security incidents across the organization. It can affect vendor payments, customer communications, and access to valuable business context all at once.

For enterprise defenders, EAC is a business risk, not just an email issue. Stronger detection, faster containment, better authentication, and deeper mailbox visibility can help stop one compromised account from becoming a broader incident. Mimecast helps organizations reduce email-driven compromise, improve response, and limit the impact of trusted-account abuse.