Protecting Your Email Account from Persistent Unauthorized Access: A Case Study and Best Practices
In today’s digital landscape, email accounts serve as a cornerstone of personal and professional communication. However, they are also prime targets for cybercriminals. Despite efforts to secure them, some accounts remain compromised, necessitating a comprehensive response strategy. Here, we explore a real-world scenario involving a personal email account that was hacked and the ongoing challenges faced even after initial remediation steps.
Incident Overview
This morning at approximately 7:00 AM, a user observed unusual activity: friends and family reported receiving suspicious emails from their Hotmail address, requesting assistance and money. Upon investigating, the user found no visible signs of unauthorized access in the inbox or sent items. Some compromised messages had been moved to the deleted items folder but were subsequently cleared.
Recognizing the urgency, the user promptly changed their password around 8:30 AM. Despite this, the attacker’s activity persisted, with responses to the scam emails being received as late as 11:15 AM. Notably, while the hacker continued sending messages from the compromised account, the user’s inbox did not show any responses to the scam offers, nor were there any new entries in the sent items. Regular emails, such as communications and advertisements, continued to arrive normally.
Investigation Steps and Findings
Device and Login Activity Checks:
The user accessed their Microsoft account security settings to identify any devices currently signed in. Only two devices appeared—the current laptop and a former device that had been removed. Interestingly, mobile devices linked via Outlook were not immediately visible, prompting further investigation.
Mobile Device Access and Sync History:
Through Outlook settings, the user identified mobile devices associated with the account, noting that most had last synchronized activity several years ago, except for their current iPhone. This suggested that the hacker might have continued accessing the email via maliciously retained mobile sessions.
Login History Analysis:
Utilizing the “Sign-in Activity” feature, the user discovered numerous failed login attempts from various locations worldwide between May 25 and May 30. The last successful login was recorded on June 5, 2025, originating from the United States via an iOS Safari session, including the IP address. This indicated persistent unauthorized access over an extended period.
Challenges and Observations
Despite resetting the password, the account remained compromised. This suggests that the attacker maintained access through other means, such as authenticated mobile sessions or saved credentials on devices
Share this content:
