Work email compromised on a personal computer is becoming a common and serious risk for businesses using cloud platforms like Microsoft 365.
A recent incident we handled showed how quickly a business can be exposed when staff access work email from an unmanaged personal device.
In this case, a staff member was using their Microsoft 365 email on a home computer that was not managed, monitored, or secured to business standards. It had no endpoint protection, no visibility, and no controls in place.
At some point, a malicious link was clicked or harmful content was interacted with. While the exact trigger could not be confirmed, the outcome was clear — the mailbox was compromised and used to send approximately 1,700 phishing emails to external contacts and vendors.
This type of incident is exactly why businesses need proper cyber security controls in place, even when using cloud services.
What Happened
The user’s work email account was accessed from an unmanaged personal computer. This created a significant security gap, as the device sat completely outside the business IT environment.
Once compromised, the mailbox was used to send a large volume of phishing emails to external recipients. Because the emails were coming from a legitimate business account, they appeared trustworthy and were far more likely to be opened.
How We Confirmed the Compromise
The issue was identified after suspicious outbound email activity was detected.
We reviewed Microsoft 365 message trace logs and confirmed that the mailbox had been sending phishing emails externally. The volume and behaviour clearly indicated a compromised account.
The Remediation Steps We Took
1. Blocked Sign-In Immediately
The first step was to stop any further access to the account.
We blocked sign-in through Microsoft 365, preventing the attacker from continuing to use the mailbox.
2. Reset the Password
The user’s password was reset immediately to invalidate any compromised credentials.
This is a critical step in any Microsoft 365 incident response.
3. Reset Multi-Factor Authentication (MFA)
The attacker had control over the account’s MFA setup.
We reset MFA completely, removing any unauthorised authentication methods and allowing the business to securely reconfigure access.
4. Reviewed Email Trace Logs
We analysed Microsoft 365 trace logs to determine the scale of the incident and identify affected recipients.
5. Assisted with External Notification
The business was advised to notify affected contacts immediately.
This step is critical to prevent further compromise, as recipients may trust emails coming from a known sender.
Why This Matters
Cloud email platforms like Microsoft 365 are not automatically secure.
If accounts are accessed from unmanaged devices, those devices become the weakest link. Without monitoring, endpoint protection, or control, businesses lose visibility and the ability to respond quickly.
This is why proper IT support and endpoint security are essential in modern environments.
Key Lessons for Businesses
Unmanaged personal devices create real risk
Allowing access from unsecured devices significantly increases the chance of compromise.
MFA alone is not enough
Multi-factor authentication must be properly managed. If an attacker controls MFA, the account remains compromised even after a password reset.
Speed is critical
Blocking access and resetting credentials must happen immediately once suspicious activity is detected.
Trace logs are essential
Microsoft 365 logs provide visibility into what happened and help guide response actions.
Final Thoughts
This incident likely originated from the use of a work email account on an unsecured personal device.
While the exact trigger could not be confirmed, the evidence clearly showed that the mailbox had been hijacked and used for phishing.
The response focused on immediate containment and damage control.
For businesses, the takeaway is simple:
If staff are accessing work systems from personal devices, those devices must be secured — or access should be restricted.