Email Account Compromise Explained
Email account compromise (EAC) is a cyberattack where a threat actor gains unauthorized access to a legitimate email account and operates from inside it. The attacker controls the actual mailbox rather than spoofing the account holder from outside, giving them the ability to read messages, send emails as the victim, create mail flow rules, and leverage every trust relationship associated with that account.
EAC is a specific form of account takeover applied to email. MITRE ATT&CK catalogs the technique under T1586.002 (Compromise Accounts: Email Accounts), describing how adversaries compromise email accounts to conduct phishing, spam campaigns, and further operations using the victim's trusted identity.
How Email Account Compromise Works
Attackers gain mailbox access through several well-documented methods:
- Credential phishing. The most common entry point. A fake login page harvests the victim's username and password, often with a session token captured by an adversary-in-the-middle proxy toolkit.
- Password reuse. Credentials from previous breaches (available on dark web marketplaces or harvested through credential harvesting campaigns) are tested against corporate email portals through credential stuffing.
- OAuth abuse. The attacker tricks the victim into granting a malicious application persistent access to the mailbox via OAuth consent. This access survives password resets and MFA changes.
- Session token theft. Stolen browser cookies or authentication tokens allow attackers to bypass MFA entirely and access the mailbox without ever knowing the password.
Once inside, attackers follow a predictable operational sequence documented in MITRE ATT&CK T1114 (Email Collection). They create forwarding rules to exfiltrate incoming messages to an external address, read existing conversations to identify high-value targets, and then send messages from the compromised account to initiate invoice fraud, payment redirection, or data theft requests.
Email Account Compromise vs. Business Email Compromise
The FBI IC3 groups email account compromise and business email compromise together as "BEC/EAC," reporting combined losses exceeding $55 billion globally since 2013. Security teams, however, draw a meaningful operational distinction between the two.
BEC is the broader category. It includes any email-based fraud targeting business processes, whether the attacker uses a compromised account, a lookalike domain, or a spoofed display name. EAC is a subset of BEC where the attacker has genuine access to a real mailbox. This distinction matters for detection and response:
- Authentication checks fail to help. In an EAC attack, SPF, DKIM, and DMARC all pass because the email originates from authorized infrastructure. The sender IS the legitimate account.
- Forwarding rules reveal persistence. EAC attackers frequently create hidden inbox rules that forward copies of all incoming mail, delete sent items to cover their tracks, or auto-move security alerts to obscure folders.
- Lateral movement is immediate. A compromised email account gives the attacker a launching point for thread hijacking, internal phishing, and privilege escalation, all from a trusted identity inside the organization.
Detecting Email Account Compromise
Because EAC passes every sender-authentication check, detection depends on behavioral signals rather than content or reputation filters:
- Anomalous login patterns. Logins from new devices, unfamiliar IP addresses, or geographically impossible locations (impossible travel).
- Mailbox rule changes. New forwarding rules, especially those targeting all incoming mail or specific keywords like "invoice," "payment," or "wire."
- Sending behavior shifts. Messages sent at unusual hours, to recipients outside the account holder's normal communication graph, or in bulk volumes inconsistent with baseline patterns.
- OAuth application grants. Unexpected third-party application permissions added to the mailbox that the user did not initiate.
Organizations that rely on static gateway rules to catch EAC will miss the attack because every technical indicator (sender, domain, authentication) looks legitimate.
Email Account Compromise Protection from IRONSCALES
IRONSCALES detects email account compromise through behavioral AI that identifies anomalous sending patterns, mailbox rule changes, and communication deviations from compromised accounts.
Related Terms
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.