How do mail providers lock accounts post-compromise?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When a mail provider detects that an account has been compromised, the response is fast and layered. The goal is to stop the abuse immediately without permanently destroying the account's ability to recover.
The first action is almost always sending suspension. The moment unusual patterns are detected (volume spike, spam complaints from recipients, authentication from an unrecognized location), outbound sending gets blocked. The account can't send anything until the issue is resolved. This protects both recipients and the provider's reputation infrastructure.
Session invalidation follows quickly. All active login sessions are terminated. This kicks out the attacker even if they're in the middle of a campaign. Simultaneously, API keys associated with the account are revoked, which closes the programmatic access route attackers prefer for scale.
Password reset requirements are triggered, which the legitimate account holder has to complete before regaining access. This is why having a valid recovery email or phone number on your ESP account matters: if the attacker has also compromised the recovery options, regaining access becomes significantly harder.
After the immediate lockdown, providers typically do a review before restoring sending capability. They'll examine what was sent during the compromise, assess reputation damage, and sometimes require additional verification or explanation before re-enabling the account. This review process can take 24 to 72 hours depending on the provider.
For senders who've been through this: enabling MFA before something like this happens is the single most effective prevention. For ESPs with API access, using separate API keys with limited permissions for different systems means a compromised key in one system doesn't give an attacker full account control. If you're currently locked out of a compromised account, contact your ESP's trust and safety team directly through verified contact channels, not through any link in an email.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.