What are warning signs of compromise?
Account-level signs: unexpected password resets, unfamiliar login locations in activity logs, new forwarding rules or delegates, and security notifications you didn't trigger.
Infrastructure signs: new **API** keys or tokens, modified authentication records (**SPF**, **DKIM**), configuration changes you didn't make, and unfamiliar users or permissions.
External signs: recipients reporting suspicious messages, complaint increases, blocklist notifications, and bounce patterns suggesting spam filtering. Multiple warning signs warrant immediate investigation.
Was this answer helpful?
Thanks for your feedback!