Email Account Clean Up Process for Compromised Accounts

When a University email account becomes compromised, the malicious hacker ("phishers") can sometimes wreak havoc on the compromised email account. This article provides a basic list of recommendations that a University email user may find necessary to do to ensure the email account is restored to normal conditions. It may require a significant amount of time to repair a badly damaged account.

Potential Issues and Recommendations

Changing or resetting BeachID password (the 24-hour wait period)

Often times, the Division of IT is automatically notified by Microsoft that an email account has been blocked for suspicious activity.  This is one sign that an account is compromised.  Additionally, the Division of IT may receive rampant reports of a campus email account that is sending phishing emails.  In these situations, quick action is required to minimize the security risk that can threaten the campus network and resources.  As a result, the Division of IT will often scramble the BeachID password of the compromised email account and create a temporary password.  The user must wait a minimum of 24 hours from the time that the temporary password is created before they can create a new password.  If more immediate assistance is needed, then the user can contact the Technology Help Desk at (562) 985-4959 to enable the activation of a new password sooner than the 24-hour period.

How was the account compromised/hacked?

The most common way an email account becomes compromised is through responding to a phishing email. Phishing email messages are designed to trick the recipient into providing their credentials. More information about phishing can be found in our Phishing 101 article. If you have responded to a phishing message, or have been contacted by the IT Support team, please follow these steps.

Recommended Actions: If the user has not already done so, they need to visit https://beachid.csulb.edu/ and reset their BeachID password as soon as possible. If contacted by the IT Support team, the password has already been reset and the user will need to reactivate their account, which entails setting new security questions and answers, as well as creating a new password. If the user is certain they did not respond to a phishing attempt or if they don’t know how their account was compromised, it is possible that their computer may contain a virus/malware, so the computer should be scanned for vulnerabilities. If it is on a campus-owned computer, the user should contact their local department/college tech for assistance. If it is on a personally-owned computer, the user can conduct their own scan if the machine has anti-virus software, or they could contact an experienced computer technician. A fee-based service is available on the 2nd floor of the University Bookstore by contacting Beach Tech services at BeachTech@csulb.edu or at (562) 985-8876.

Check outbound mail queue has been cleared of all offending messages

The standard process for addressing compromised accounts involves ITS temporarily disconnecting the mailbox to halt any more offending activity. This should stop any pending outgoing messages.

Recommended Action: It is still advised to check the "Outbox" folder to delete any unwanted outgoing mail if any exist.

Continuous replies and bounces

This is a common residual effect of a compromised mailbox, where there will be continuous incoming email replies and bounced messages relating to email(s) sent by the phisher.

Recommended Action: Manually deleting these messages will be required as they continue to come in, or they can simply be ignored. Another option is to create an Inbox rule (based on the subject line) to automatically send all these messages to the Deleted Items folder.

Inbox rules

Another common residual effect of a compromised mailbox is when the phisher creates different types of inbox rules affecting incoming email. For example, an inbox rule may be created so that any new email coming to the Inbox folder will automatically be sent to the Junk Mail or Deleted Items folders, so it appears as though no new email is being received.

Recommended Action: Check to see if any unwanted Inbox rules exist and delete them.

To do this in Outlook on the web (formerly known as OWA), log into mail.csulb.edu. In the top-right, click on Settings (the gear symbol) and scroll down to the bottom of the page to select “Mail”.

Screenshot of Settings (gear symbol)

Screenshot of option Mail in settings

Then select "Inbox and sweep rules" located under “Automatic processing”. This will show you if any Inbox rules exist and the user will need to identify if there are any rules that they did not create.

Screenshot of Inbox and sweep rules

To do this in an Outlook client: Go to the Home tab and, while having the Inbox folder selected, go to the Rules option, as shown below.

Screenshot of Rules in Outlook client

Deleted items folder

Often times, a phisher will delete some or all email in the user's inbox.

Recommended Action: Deleted items can be recovered by following these steps in this article. These instructions will be similar for newer versions of Outlook. For instructions for the Outlook on the web (formerly known as OWA), please see this Microsoft article: Recover deleted email messages in Outlook on the web.

Details

Article ID: 57875
Created
Fri 7/20/18 9:24 AM
Modified
Wed 1/22/20 11:49 AM