Incident Response
Slow the situation down
Not every weird email means compromise, but every scare deserves a basic sequence: identify the affected account, confirm recent activity, and protect recovery paths first.
Incident Response
Protect the critical path
Start with the primary email and any account that controls recovery for others. Then review active sessions, change relevant credentials, and check MFA settings.
Review active sessions and recent login activity
Change passwords for affected critical accounts
Check whether forwarding or filter rules were modified
Incident Response
Document what you noticed
Write down what happened, when it happened, and what you changed. This makes it easier to spot what is real and what is just fear or noise.
Takeaway
A structured first hour beats a panicked full-day cleanup every time.