What are the most common signs my email has been hacked?

Login alerts from cities or devices you do not recognize, forwarding rules or filters you did not create, sent items you did not send, OAuth grants tied to apps you do not use, recent changes to recovery email or phone, active sessions on devices you no longer own, two-factor codes arriving when you did not log in, account-creation emails for services you did not sign up for, and password-reset emails you did not request. Any one of these warrants a closer look. A pattern across several is a confirmed compromise.

Why is changing my password not enough?

Because the attacker is usually persistent through means a password change does not touch. Saved session tokens stay valid until explicitly revoked. OAuth grants keep working until removed. Forwarding rules continue to siphon mail to an attacker-controlled address. A modified recovery method lets the attacker re-take the account at will. The password is downstream of the actual fix. The correct sequence is rotate the password from a clean device, sign out all sessions, audit and remove forwarding rules and filters, revoke OAuth grants, then reset recovery methods.

What is a forwarding rule and why do attackers use it?

A forwarding rule is a built-in feature in Gmail and Microsoft 365 that automatically copies or forwards incoming email to another address. Attackers create one that quietly forwards every incoming message to an account they control, then leave the inbox otherwise untouched. They can then read everything, including password resets and bank notices, without ever logging in again. Audit Settings, Forwarding and POP/IMAP in Gmail and Outlook Mail Rules in Microsoft 365. Anything you did not create yourself is suspect.

How do I check for unauthorized OAuth app access?

In Gmail, go to your Google Account, then Security, then look for the section titled Your connections to third-party apps and services. In Microsoft 365, open My Account, then Security, then Apps and services that can access your data. Review every entry. Revoke anything you do not recognize, anything tied to an account or service you no longer use, and any app with broad scopes that does not need them. OAuth grants persist across password changes, which is precisely why attackers use them.

When should I call an investigator instead of cleaning it up myself?

Call an investigator if the compromise touched a business email and litigation, regulatory disclosure, or insurance claims may follow. If you suspect the attacker is someone you know, including a current or former intimate partner or a former employee. If money or assets were moved as a result of the compromise. Or if you need a court-admissible record of what was accessed and exfiltrated, which DIY cleanup destroys. The investigative engagement preserves evidence first, then performs cleanup, in that order.

Will my email provider tell me what was accessed?

Partially. Both Google and Microsoft expose limited security and sign-in logs in the user-facing security tab. What they do not show is saved session tokens on attacker devices, forwarding rules nested inside complex filter chains, OAuth tokens with broad scopes, mailbox-level data exfiltration through IMAP scrapes, and recovery-method changes older than thirty days. A forensic timeline pulls the deeper logs, including admin-level audit logs in Microsoft 365 and Workspace, and reconstructs what actually happened. That is what insurance and litigation will need.

How long should an email-compromise investigation take?

A focused individual case is typically scoped on hourly rates over two to five working days, covering log preservation, timeline reconstruction, exfiltration analysis, downstream-account review, and a written report. Business cases involving multiple mailboxes, regulatory exposure, or BEC-style wire fraud run longer. The first call is short and intended to scope the work. We will tell you up front whether your situation is something you can clean up yourself with the article on this page or whether the engagement makes sense.

Is Your Email Hacked? 10 Signs to Check Forensically

All articles·7 min read·April 26, 2026

Read this first

Most people change their password the moment they suspect a hack and assume the problem is over. The attacker is usually still there — through a saved session token, an OAuth grant, a forwarding rule, or a recovery method they added before you noticed. The password is downstream of the actual fix.

Ten forensic signs your email is compromised

Login alerts you cannot place. Sign-ins from cities, browsers, or devices you do not recognize. Always check the IP and city, not just the device name (which the attacker can spoof).
Forwarding rules you did not create. The single most common attacker persistence move on Gmail and Microsoft 365: a rule that quietly forwards every incoming email to an attacker-controlled address. Check Settings → Forwarding and POP/IMAP (Gmail) or Outlook → Mail → Rules.
Filters that auto-delete or auto-archive. Attackers hide their tracks by filtering security alerts straight to trash. Check filter rules — anything that filters on words like "security", "Apple", "Microsoft", "PayPal", or "verification" is suspicious.
Sent items you did not send. Especially small "Hi, are you free?" type emails to your contacts — that is the early stage of a friend-asking-for-money scam using your account.
Unfamiliar OAuth grants. Apps with access to your email. Gmail: Manage your Google Account → Security → "Your connections to third-party apps and services." Microsoft 365: My Account → Security → Apps & services that can access your data. Revoke anything you do not recognize.
Recovery email or phone changed. Without your knowledge. This is how an attacker locks you out permanently.
Sessions on devices you no longer own. Especially old phones, work laptops, or shared computers. Active sessions live for months unless explicitly revoked.
2FA codes arriving when you did not log in. Indicates the attacker has your password and is trying to bypass 2FA.
Account creation emails for services you did not sign up for. The attacker is using your inbox to set up accounts elsewhere.
Password reset emails you did not request. The attacker is trying to pivot from your email into your bank, social, or work accounts.

What the platform "Security" tab will not show you

Saved session tokens on devices the attacker controls
Forwarding rules hidden behind nested filters
OAuth tokens granted to malicious apps with broad scopes
Mailbox-level data exfiltration via IMAP scrapes
Recovery method changes made more than 30 days ago

The order of operations to actually clean up

From a clean device (not the suspected compromised one), change your password.
Sign out of all sessions everywhere — Gmail "Sign out of all other Gmail web sessions"; Microsoft 365 admin → revoke all sessions.
Re-enroll in MFA on a new device. Generate new backup codes.
Audit and remove every forwarding rule and filter you do not recognize.
Audit and revoke OAuth grants.
Reset recovery email and recovery phone.
Audit downstream accounts — bank, social, work, password manager — that share that email for password resets.
Pull a forensic timeline if there is any chance you'll need to prove what happened (litigation, employment, identity theft case).

When to call an investigator

If any of these apply, do not DIY:

The compromise affected a business email and litigation, regulatory, or insurance claims may follow
You suspect the attacker is someone you know (intimate partner, ex, former employee)
Money or assets were moved as a result of the compromise
You need a court-admissible record of what was accessed and exfiltrated

We run account compromise investigation and forensic recovery for individuals and businesses — including evidence-of-access timelines that hold up in litigation. If your case overlaps with identity theft, we coordinate the two engagements together.