How to identify a compromised sending account?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine logging into your ESP one morning and seeing your sent volume tripled overnight. You didn't schedule anything. Nobody on your team did either. That's one of the clearest signs your sending account has been compromised, and every hour you wait makes the reputation damage worse.
Here's how to spot it before it spirals.
Volume signals
The most obvious red flag is a sudden spike in outbound volume that doesn't match anything you scheduled. Think 10,000 sends on a Tuesday at 3am when your normal cadence is 500 sends on weekday afternoons. Unusual sending hours matter too. If your audience is in the US and your logs show a big batch going out at 4am local time, that's worth investigating. It's not proof on its own, but pair it with anything else on this list and it gets serious fast.
Content you didn't write
Pull up your sent message logs and look for anything unfamiliar. Campaigns you don't recognize, templates you never built, links pointing to domains that aren't yours. Attackers who get into sending accounts often push phishing content through your infrastructure because your domain has real reputation they can exploit. If you see anything that looks off, don't assume it was a teammate's test.
Recipient anomalies
Check your bounce reports and recipient lists. Are emails going to addresses you've never imported? International domains you don't serve? If you run a US business and you're suddenly seeing bounce records for addresses in regions you've never touched, that's a strong signal someone else is using your account to send to their list.
External signals
Sometimes the outside world tells you before your own logs do. A sudden blocklist listing citing spam, abuse complaints coming in from people you've never emailed, or your ESP sending you a suspicious activity notification. All of these are worth treating as urgent, not as noise. Check your domain against a blocklist as a quick first step. You can use our free Blocklist Checker to see if anything has been flagged.
What to do the moment you suspect it
Don't wait to confirm. Act on suspicion. Change your account password immediately and enable two-factor authentication if it wasn't already on. Rotate any API keys connected to your sending account. Review which users have access and remove anyone who shouldn't. Then pause outbound sending while you check your logs. The short pause hurts far less than continuing to send compromised content.
And once you've secured access, audit your recent sent campaigns, check your suppression lists for tampering, and look at your abuse desk notifications for anything that came in while the compromise was active. If your domain ended up on a blocklist, you'll need to go through a delisting process after you've confirmed the account is clean.
If this is happening right now and you're not sure where to start, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.