Skip to main content
My preferencesSign out
Proofpoint, Inc.

Compromised User - Steps to follow

Situation User account got compromised or hacked. User claims that emails from his account appear to be sent, but customer is not sending those emails.
Solution Verify that emails are not in our logs by analyzing headers. Lock user's account when this is verified

 

Symptoms

  • Users will receive emails, that are not found In Proofpoint logs..
  • Look in the email headers. Email headers will show the origin of the message.
  • Once it is confirmed that emails were sent from customer's email environment, follow the steps bellow immediately.

Immediate Steps to Take

  1. Lock down the user's account and immediately change the password. (Change password instructions)
  2. Ensure the user does not re-use that password.
  3. Scan all devices the user has been using. 

clipboard_ea423e0836805c178c2a59d8b75c51587.png

Don't forget:

After admin has changed the account password and scanned environment, the account can be re-enabled.