The Anatomy of Your Inbox Getting owned

You will have seen this. Either by receiving a bogus looking email from someone you trust (not spoofed — actually from their mailbox), or maybe it has happened to you. A hacker has broken into an inbox and fired off a batch of dodgy emails with links to fake sites, payment requests, document shares, or mystery PDFs.

Annoying, sure. Embarrassing, definitely, does my dentist really think I should invest in crypto? But that is just the bit you see.
What is actually going on behind the scenes is a lot more strategic, patient and profitable than most people realise.

The inbox itself is not the end goal. It is the access point. Once they are in, the attacker is not thinking about spamming your clients for fun. They are thinking about invoices, suppliers, finance teams, document access, payroll, stored credentials, payment approvals, and how long they can stay inside without being noticed. And to make matters worse, they are also extracting historical data for future use.

And this is not happening to one type of business. I am seeing it in GP surgeries, accountants, legal firms, building contractors, software vendors and anyone else using Microsoft 365 or Google Workspace without proper controls.

So, let’s break down what is really happening when an email account gets compromised — how they get in, what they do next, and how they make money from it.

How they get in

Attackers get into your mailbox in a few different ways. The most common is phishing. You click a link, land on a login page that looks familiar, enter your email and password, and you have just handed your credentials over. Another route is credential reuse. A completely unrelated website gets breached, your details end up in the wild, and attackers try the same login and password combo across other services. Some people still have malware or keyloggers quietly capturing everything they type. But realistically, nine times out of ten, it is the basic phishing link that does the job.

Why Mailboxes?

Email accounts are a goldmine. They hold invoices, quotes, contracts, payroll details, bank info, client conversations, system alerts, password resets and document links. An attacker does not need access to your accounting software, PMS, EDRMS or CRM if they can reset the password and wait for the confirmation email to land in your inbox. They also know that people trust mail from real accounts. A fake invoice from a spoofed address might be ignored, but one sent from your actual mailbox has a much higher chance of being paid. Even small firms have suppliers, customers and regular workflows that can be exploited. Email gives attackers access, legitimacy and information in one place.

One of the first things they often do after extraction is use your trust to scale their attack. They will send misleading messages to everyone in your address book, mostly containing phishing links or requests that look normal because they come from you. The exact next step depends on the trust profile of your mailbox. If you send a lot of invoices, they will probably send fake invoices and payment-change requests. If you send trusted appointment links or patient messages, they will send phishing links that look like appointment confirmations or attachments. If you regularly run payroll updates, they may target payroll with bank detail changes. They pick the angle that will convert best for your contacts.

Then What?

After the initial sweep and the mass sends to your contacts, they switch to a mixture of stealth and monetisation. They look for bank details and payment instructions to redirect cash quickly. They look for password reset emails and service confirmations to pivot into other systems. They set up forwarding rules and grant OAuth permissions so they can keep seeing mail even if you change your password. They search past messages for patterns they can exploit, like who signs off on invoices, who authorises payments, what language you use in supplier correspondence and which clients are due funds.

The short version is this. Your inbox becomes a trusted relay. Attackers use it to steal money, harvest credentials, sell data and to launch more convincing attacks from a source people already trust. They do not need to be dramatic about it. The quiet, well timed email will do far more damage than a noisy breach.

SSShHHHIIIIIitTT!!! I’ve been breached. What do I do now?

Step 1 — contact CySura. Seriously. The biggest mistakes happen in the first few hours after a breach. If you try to wing it or only change the password, you risk leaving the attacker inside your system.

After that, here is what needs to happen fast:

1. Log the account out of every active session.
   Do this through your Microsoft 365 or Google admin settings. If you only reset the password, the attacker may still be connected.

2. Change the password to something strong and unique.
   Not a variation. Not something already used elsewhere.

3. Turn on Multi-Factor Authentication (or reset it).
   If MFA was already on, reset the methods and re-enrol. Attackers often add their own device. This isn’t foolproof, there are plenty of phishing attacks out there that bypass MFA requirements, but it will certainly help.

4. Check mailbox rules and connected apps.
   You are looking for:

   • Forwarding rules

   • Hidden inbox rules

   • Third-party apps with access
     Remove anything you did not set up.

5. Check Sent and Deleted Items.
   Look for messages you did not send, especially to clients, suppliers or staff.

6. Warn anyone who may have received dodgy emails.
   Especially if invoices or links were involved. If you are a highly trusted business, this is the point we call in for some PR (public relations) support to help us craft the messaging aligned to your brand.

7. Contact your bank if there is any financial risk.
   Speed matters. Clawbacks only work if you act.

8. Get logs and traces pulled immediately.
   You want timestamps, IPs, app connections and message trails to see how far they went.

Do not sweep it under the rug. The breach itself is not the worst part, it is the fallout if you do nothing. Also consider that mandatory privacy breach reporting is here in NZ, and mandatory breach reporting (regardless of leakage) is coming for NZ and already exists in Australia.

How do I stop it happening in the first place?

Step 1 — contact CySura before it happens.
Prevention is cheaper, faster and far less embarrassing than recovery.

Here is what we lock down straight away:

1. Mandatory MFA for every mailbox.
   Not optional. Not “rolling out soon.” If a password is stolen, MFA stops the login in a good percentage of attacks. Don’t rest on your laurels though, I will happily teach you how to use techniques to bypass MFA to access phished accounts. (In the name of preventative education of-course).

2. Disable legacy logins like IMAP and POP.
   These bypass MFA and most monitoring.

3. Enforce strong, unique passwords.
   Use a password manager. Stop the reuse problem.

4. Audit mailbox rules and app access regularly.
   Forwarding, redirect and “helpful” automation often hide the breach.

5. Protect finance workflows.
   No bank detail changes without phone verification using known numbers.

6. Train staff properly.
   Real examples, not outdated PowerPoints. Get some real security awareness education. (see Step 1)

7. Have a response plan written down.
   If someone gets breached at 10am, you cannot be scrambling at lunchtime.

Attackers go after the path of least resistance. We make sure that path is not your organisation.