Email interception usually means an attacker has found a way to read, redirect, or act on messages before you notice. The cause may be phishing, a compromised mailbox, malicious forwarding rules, stolen sessions, weak MFA, or a business email compromise.
Warning signs of email interception
- Messages disappear or show as read unexpectedly
- Unknown forwarding rules or filters appear
- Password reset emails arrive for other services
- Contacts receive messages you did not send
- Payment, invoice, or bank instructions are changed
- Login alerts show unfamiliar devices or locations
- MFA prompts appear when you are not signing in
How attackers intercept email
Attackers may use phishing pages, stolen passwords, OAuth app abuse, session theft, malicious browser extensions, malware, mailbox forwarding, or compromised admin accounts.
Recovery checklist
- Change the email password from a trusted device.
- Enable MFA, preferably an authenticator app or security key.
- Sign out all sessions.
- Remove unknown forwarding rules, filters, delegates, and connected apps.
- Review recovery email and phone settings.
- Check financial, cloud, domain, social, and admin accounts tied to the mailbox.
- Preserve evidence if money, customers, or legal issues are involved.
For account recovery, read How to Get a Hacked Account Back. For business or evidence-sensitive cases, review the Digital Forensic Investigation Retainer.
FAQ
How do I know if my email is being intercepted?
Look for unknown forwarding rules, login alerts, missing messages, sent messages you did not create, and suspicious payment or reset activity.
Can email interception affect other accounts?
Yes. Email often controls password resets for banking, cloud, social media, domains, and business tools.
When should I get forensic help?
Use forensic help if the mailbox is tied to fraud, business payments, customer data, legal evidence, or repeated compromise.