'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Work & employment crises work email sending itself • emails sent i did not send • messages sent from my account • suspicious sent items at work • hacked work email account • microsoft 365 account compromised • outlook account compromise at work • google workspace account hacked • someone using my work inbox • unauthorized emails from me • unexpected email forwarding rule • mailbox rules changed without me • colleague says i emailed them • work account taken over • phishing stole my password • business email compromise signs • work chat messages not mine • teams or slack messages sent • account hijacked at work • vendor payment change email scam What to do if…
What to do if…
you notice emails or messages being sent from your work account that you did not send
Short answer
Assume your account is compromised: contact your IT/security team immediately to lock access, force sign-out, reset credentials, and check for suspicious sign-ins and forwarding/rules.
Do not do these things
- Do not delete the sent emails/messages, security alerts, or logs — it can destroy evidence your security team needs.
- Do not keep using the account to investigate or warn people from inside the compromised account.
- Do not click links/open attachments connected to this incident, even if they appear internal.
- Do not try to “clean” your inbox or remove rules unless your security team tells you to.
- Do not send a mass message to all recipients unless your security/communications team tells you to.
What to do now
- Pause and switch to a trusted contact method. Stop sending messages. Call your IT helpdesk/security team using a known number, or contact them in person/through an approved internal channel.
- Report it as suspected compromise and request immediate containment. Ask IT/security to:
- Disable sign-in / lock the account until reviewed
- Force sign-out of all sessions
- Reset your password and confirm MFA is enabled and working
- Review recent sign-in activity and any mailbox rules/forwarding/delegated access/connected apps changes
- Capture a small amount of evidence (then stop). Capture only what’s necessary (timestamps, recipients, subject lines, any alerts). If screenshots are allowed, share them only via your organization’s approved incident channel (not personal email or external services).
- Check the “silent persistence” settings (only if IT says it’s safe to log in).
- Look for unexpected forwarding, inbox rules, auto-replies, or unknown connected apps
- If you find something, document it and tell IT/security. Don’t just remove it without guidance.
- Contain harm to others fast.
- Tell your manager your account may have been used to send unauthorized messages.
- Work with IT/security to identify who received the messages so the organization can warn them not to click links or follow new instructions (especially payment changes).
- If invoices, bank details, gift cards, or wire instructions were involved, escalate immediately.
- Contact your finance/AP team through a trusted channel to pause or verify transfers.
- If money may have moved, your organization may also need to contact the relevant financial institutions quickly.
- Secure other work access. If any passwords were reused across work systems, assume they’re exposed. With IT guidance, update those credentials and keep MFA on.
- If external reporting is needed, follow your organization’s lead. If this looks like a business email compromise (especially involving payments), many organizations file a report with the FBI’s Internet Crime Complaint Center (IC3). Provide your incident handler accurate facts and avoid contaminating evidence.
What can wait
- You do not need to prove whether this was malware, phishing, or a mistake right now — containment comes first.
- You do not need to write a detailed explanation to clients/vendors unless your organization directs you.
- You do not need to argue about blame or disciplinary implications in the moment; focus on rapid reporting and cooperation with the investigation.
Important reassurance
It’s common to feel embarrassed or panicked, but this is a known pattern of attack and it can happen quickly. Acting early — stopping use, reporting fast, preserving evidence — reduces harm.
Scope note
These are first steps to stabilize the situation. Your employer may have additional incident-response, legal/compliance, and communications steps after containment.
Important note
This is general information, not legal or professional advice. Follow your organization’s security policies and instructions. If money or sensitive data may be involved, escalate internally immediately rather than trying to handle it alone.
Additional Resources
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
- https://www.ic3.gov/PSA/2020/PSA200406
- https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
- https://www.cisa.gov/secure-our-world/recognize-and-report-phishing