Compromised Account

A legitimate mailbox controlled by an attacker for sending phishing or spam.

Oct 6, 2025

What is a Compromised Account?

A compromised account occurs when an attacker gains unauthorized access to a legitimate user’s email or system credentials. Once inside, the attacker can send fraudulent messages, steal sensitive data, or spread malware using the victim’s trusted identity. In email security, compromised accounts are one of the most common sources of phishing and business email compromise (BEC) attacks.

Unlike spoofing, where attackers forge a sender’s address, compromised accounts involve real, authenticated logins. This makes them harder to detect because emails appear to come from a verified domain or individual.

How Accounts Become Compromised

Threat actors use a variety of tactics to obtain credentials or bypass authentication controls, including:

Phishing emails that trick users into entering login details
Password reuse or weak password policies
Malware and keyloggers that capture authentication data
Exploiting unpatched systems or unsecured access points
Lack of multi-factor authentication (MFA)

Risks of Account Compromise

Once an account is compromised, attackers can exploit it to:

Send internal phishing messages or invoices
Access confidential files or client data
Bypass authentication systems using legitimate headers
Damage sender reputation and trigger deliverability issues

In many cases, mailbox providers detect unusual activity and temporarily suspend or flag the account. However, without centralized visibility, organizations may not notice the compromise until damage has occurred.

Detecting and Preventing Compromise

Preventive measures include enforcing strong password policies, implementing MFA, and monitoring authentication logs for unusual IP addresses or sending behavior. Security frameworks like DMARC and SPF can help prevent attackers from exploiting compromised accounts to impersonate domains externally.