How to detect hacked ESP or phishing abuse?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You logged into your ESP dashboard this morning and noticed a campaign you definitely didn't create, scheduled to send tomorrow. Your first instinct is right. Something's wrong.

Account compromise in an ESP context usually means one of two things: Someone has your login credentials and is sending phishing emails using your account, or someone's stolen your API key and is injecting campaigns through your integrations. Either way, you're not in control anymore.

Start with API activity logs. Most ESPs let you see every API call made from your account, including the IP address it came from. Look for anything you don't recognize. New API keys you never created? Activity from unfamiliar IP addresses at odd hours? That's a red flag. ESPs also show timestamps, so if you see API calls happening while you were asleep or offline, somebody else has access.

Next, dig into campaigns. Check your template library for templates with suspicious content. Do you see campaigns scheduled that you didn't create? Are there sends scheduled for times when nobody on your team would be working? That's a classic sign of unauthorized use. Some attackers set up automated sends so they can scale their phishing operation.

Keep an eye on bounces and complaints. A sudden spike in complaints or bounces can mean your domain is being used for phishing. Recipients are reporting emails that aren't actually from you, or their inboxes are rejecting mail that looks malicious. You might also get reports directly from abuse desks at major ISPs. Gmail, Outlook, Yahoo, and corporate security teams sometimes email directly when they catch phishing using your domain.

Set up email alerts in your ESP for suspicious activity. Most platforms let you trigger notifications when new API keys are created, when someone logs in from a new location, or when scheduled sends are created outside business hours. That gives you a shot at catching compromise early.

For prevention, enable two-factor authentication immediately on your ESP account. Rotate your API keys every 90 days. Keep an access log and audit your team members' permissions quarterly. Limit API key permissions to only what each integration actually needs (if a tool only needs to send emails, don't give it template edit permissions).

If you suspect you're already compromised, change your ESP password now, rotate all API keys, and review your account activity for the past 30 days. Flag any suspicious sends or templates for deletion. Then contact your ESP's security team. They can force log out all active sessions and help you secure the account.

Check your account logs today. If you see anything unfamiliar, secure your account immediately and notify your ESP support team.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Secure my ESP account

I'm worried my ESP account is compromised or being used for phishing. What subtle red flags should I watch for? How often should I audit API activity and team access?

Edit the yellow boxes, then send to the AI of your choice.