When a University email account becomes compromised, the malicious hacker ("phishers") can sometimes wreak havoc on the compromised email account. This article provides a basic list of recommendations that a University email user may find necessary to do to ensure the email account is restored to normal condition. It may require a significant amount of time to repair a badly damaged account.
Potential Issues and Recommendations
How was the account compromised/hacked?
The most common way an email account becomes compromised is through responding to a phishing email. Phishing email messages are designed to trick the recipient to providing their credentials. More information about Phishing can be found in our Phishing 101 article. If you've responded to a phishing message, or have been contacted by the IT Support team, please follow these steps.
Recommended Actions: If the user has not already done so, they need to visit https://beachid.csulb.edu/ and reset their BeachID password as soon as possible. If contacted by the IT Support team, the password has already been reset and the user will need to reactivate their account, which entails creating a new password. If the user is certain they did not respond to a phishing attempt or if they do not know how their account was compromised, it is possible that their computer may contain a virus/malware, so the computer should be scanned for vulnerabilities. If it is on a campus-owned computer, the user should contact their local department/college tech for assistance. If it is on a personally owned computer, the user can conduct their own scan if the machine has anti-virus software, or they should contact an experienced computer technician. A fee based service is available on the 2nd floor of the University Bookstore by contacting Beach Tech services at BeachTech@csulb.edu or at (562) 985-7946.
Check outbound mail queue has been cleared of all offending messages
The standard process for addressing compromised accounts involves ITS temporarily disconnecting the mailbox to halt any more offending activity. This should stop any pending outgoing messages.
Recommended Action: It is still advised to check the "Outbox" folder to delete any unwanted outgoing mail if any exist.
Continuous replies and bounces
This is a common residual effect of a compromised mailbox, where there will be continuous incoming email replies and bounced messages relating to email that was sent by the phisher.
Recommended Action: Manually deleting these messages will be required as they continue to come in, or they can simply be ignored. Another option is to create an Inbox rule (based on the subject line) to automatically send all these message to the Deleted Items folder.
Another common residual effect of a compromised mailbox is when the phisher creates different types of inbox rules affecting incoming email. For example, an inbox rule may be created so that any new email coming to the Inbox folder will automatically be sent to the Junk Mail or Deleted Items folders, so it appears as though no new email is being received.
Recommended Action: Check to see if any unwanted Inbox rules exist and delete them. To do this in Outlook Web App (OWA, log in to mail.csulb.edu. In the top-right corner under the user's name, click on Options. Then select "Create an Inbox Rule…" This will show you if any Inbox rules exist and the user will need to identify if there are any rules that they did not create.
To do this in an Outlook client: Go to the Home tab, while having the Inbox folder selected, go to the Rules option, as shown below.
Deleted items folder
Often times, a phisher will delete some or all email in the user's inbox.
Recommended Action: Deleted items can be recovered by following these steps in this article. These instructions will be similar for newer versions of Outlook. For instructions for the Outlook Web App, please see this Microsoft article: Recover deleted items or email in Outlook Web App.