'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Work & employment crises work email sending itself • emails sent i did not send • messages sent from my account • suspicious sent items at work • hacked work email account • work microsoft 365 compromised • outlook account compromise at work • gmail workspace account hacked • someone using my work inbox • unauthorised emails from me • unexpected email forwarding rule • mailbox rules changed without me • colleague says i emailed them • work account taken over • possible phishing stole my password • business email compromise signs • work chat messages not mine • teams or slack messages sent • account hijacked at work • compromised work mailbox What to do if…
What to do if…
you notice emails or messages being sent from your work account that you did not send
Short answer
Treat this as a suspected account compromise: contact your IT/security helpdesk immediately and ask them to lock the account, force a sign-out, and check for suspicious sign-ins and forwarding/rules.
Do not do these things
- Do not delete sent emails, security alerts, or logs — it can make it harder for IT to confirm what happened.
- Do not keep using the account “to see what happens” or message the attacker back.
- Do not click links or open attachments connected to this incident (even if they look internal).
- Do not attempt password resets or “fixes” on a device you suspect might be compromised; if you have no alternative, call IT first and follow their instructions.
- Do not send a mass apology/explanation to everyone yet unless your organisation asks — you could spread malicious links further or conflict with incident comms.
What to do now
- Pause and switch channel. Stop sending messages. Use a different trusted way to communicate (phone call, known helpdesk number, in-person) rather than replying from the possibly compromised account.
- Report it to IT/security immediately. Say: “I’m seeing emails/messages sent from my account that I did not send — please treat as suspected compromise.” Ask them to:
- Temporarily disable/restrict sign-in
- Force sign-out of all sessions
- Reset your password and confirm MFA is enabled and working
- Review recent sign-ins and any changes to mailbox rules/forwarding/delegated access/connected apps
- Preserve a minimal record (internally). Capture the minimum needed (timestamps, recipients, subject lines, any security alerts). Use screenshots only if allowed, and share them only through your organisation’s approved incident channel (not personal email or external services).
- Check for “silent” changes (only if IT says it’s safe to log in).
- Look for unexpected forwarding, new inbox rules, auto-replies, or unknown delegate access/connected apps.
- If you find something, capture the details and tell IT/security — don’t just delete it without guidance.
- Contain harm to colleagues/clients quickly.
- Tell your manager (briefly) your account may have been used to send unauthorised messages.
- With IT/security, identify who received the messages so the organisation can warn them not to click links or follow new payment/instruction changes.
- If invoices or payment details were involved, escalate internally now. Contact your finance/payments team (via a trusted route) so they can pause or verify transactions and supplier bank-detail changes.
- Secure related work access. If you reused passwords across work systems, assume they may be exposed. With IT guidance, update those credentials and ensure MFA remains on.
- If you suspect phishing started this, report the phishing safely. Use your organisation’s phishing reporting process. If (and only if) it’s permitted by policy and doesn’t disclose confidential company information, you can also forward the original phishing email you received to the UK’s suspicious email reporting address.
What can wait
- You do not need to work out exactly how it happened right now — containment comes first.
- You do not need to draft a detailed explanation to everyone who received messages unless your organisation directs it.
- You do not need to decide whether this becomes an HR issue right now; focus on reporting and reducing harm.
Important reassurance
It’s normal to feel embarrassed or panicked, but this is a common attack pattern. Stopping use, reporting quickly, and preserving evidence are the actions that limit damage.
Scope note
These are first steps only. Your organisation may have additional security, HR, and data-protection steps once the account is secured.
Important note
This is general information, not legal or professional advice. Follow your employer’s IT/security policies and instructions. When in doubt, preserve evidence and report through approved channels rather than trying to “fix” it yourself.
Additional Resources
- https://www.ncsc.gov.uk/files/recovering-hacked-accounts-infographics.pdf
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.citizensadvice.org.uk/consumer/scams/reporting-a-scam/