Email account compromise (EAC)

What it is#

Email account compromise (EAC) refers to an attacker gaining unauthorized access to a legitimate email account, typically a corporate mailbox in Microsoft 365 or Google Workspace. Unlike phishing that spoofs or impersonates a sender, EAC means the attacker is the sender, operating from the real account with full access to its history, contacts, and trust relationships.

EAC is sometimes confused with business email compromise (BEC), but the distinction matters: BEC is a fraud tactic that may or may not involve a compromised account, while EAC specifically describes the state of an account under attacker control.

How accounts get compromised#

Attackers reach EAC through several vectors:

• Credential phishing. A fake login page captures the user's password, and the attacker logs in before a password reset occurs
• Adversary-in-the-middle (AiTM) session theft. A reverse-proxy attack completes the full authentication flow (including multi-step OAuth sequences) in real time and captures the resulting session cookie, bypassing time-based one-time passwords (TOTP) and push-based multi-factor authentication (MFA) entirely, which makes AiTM one of the most effective vectors for compromising protected accounts
• Token theft. Malware on the endpoint exfiltrates browser cookies or OAuth refresh tokens
• MFA fatigue. The attacker has a valid password and bombards the user with push notifications until they approve one
• OAuth consent phishing. A malicious app is granted mailbox access through a legitimate consent flow

In practice, the initial compromise often takes minutes. The attacker's dwell time inside the mailbox, before detection, averages weeks.

Post-compromise behavior#

Once inside a mailbox, attackers typically establish persistence and begin exploitation:

• Inbox rules. Rules that auto-forward copies of incoming mail to an external address, or that move messages containing keywords like "invoice" or "payment" into hidden folders
• Internal BEC. Sending fraudulent payment requests or wire transfer instructions from the compromised account to colleagues, customers, or vendors who trust the sender
• Data exfiltration. Searching the mailbox for sensitive data, contracts, credentials, financial records, and exfiltrating it via the mail client or API
• Lateral movement. Using the compromised account to send phishing lures internally, leveraging organizational trust to compromise additional accounts

Attackers frequently create inbox rules first, ensuring they maintain visibility even if the user changes their password. A rule forwarding to an external address can persist through a password reset if administrators don't audit mail flow rules.

Detection signals#

• Impossible travel. Sign-ins from geographically inconsistent locations within short time windows
• Mail rule changes. New forwarding rules, especially those targeting external addresses or using keyword filters
• Anomalous OAuth grants. New app consents that request mailbox or file access
• Unusual mail patterns. Sudden spikes in outbound mail volume, mail sent at atypical hours, or messages to previously unknown recipients
• MFA registration changes. New MFA methods added to the account from unfamiliar devices

Cloud identity platforms surface many of these signals through audit logs and anomaly detection policies, but they require active monitoring to be useful.

Response priorities#

When EAC is confirmed, immediate steps include revoking all active sessions and refresh tokens, resetting the account password, auditing and removing suspicious mail rules, and reviewing OAuth app consents. Organizations should also notify downstream contacts who may have received fraudulent messages from the compromised account.

A compromised account sends mail that passes SPF, DKIM, and DMARC checks perfectly, the messages genuinely originate from the organization's infrastructure. This makes EAC-sourced fraud invisible to email authentication controls, reinforcing the need for behavioral detection alongside protocol-level defenses.