Compromised User - Steps to follow
Situation | User account got compromised or hacked. User claims that emails from his account appear to be sent, but customer is not sending those emails. |
---|---|
Solution | Verify that emails are not in our logs by analyzing headers. Lock user's account when this is verified |
Symptoms
- Users will receive emails, that are not found In Proofpoint logs..
- Look in the email headers. Email headers will show the origin of the message.
- Once it is confirmed that emails were sent from customer's email environment, follow the steps bellow immediately.
Immediate Steps to Take
- Lock down the user's account and immediately change the password. (Change password instructions)
- Ensure the user does not re-use that password.
- Scan all devices the user has been using.
Don't forget:
After admin has changed the account password and scanned environment, the account can be re-enabled.