Rogue Email - "where is it all coming from?"

Recently one of my customers came to me with a very strange problem...

His Sent Items folder in his email just kept growing and growing.

Every few seconds very old emails would show up in his sent folder as if they'd been sent again.

Obviously the major concern was that his customers were being bombarded by email from him.

Like most of us these days, this email address was being handled by multiple devices (laptop, phone, desktop etc.).

The email was a business email so there were additional business tool integrations using the email account.

Some of these integrations were in Microsoft Outlook itself, some were app's, some were cloud based.

So tracking down which device, which email program and which tool was quite tricky.

At times it seemed we were going in circles.

Trying to source a culprit proved difficult and we had to get progressively ruthless with the things we did and the things we disconnected from the email account.

The strategy with troubleshooting is to identify a potential cause, change/fix it and verify if the problem has gone or not.

The problem with things like email accounts is that there can be tools and services that have access to it that we don't know about.

Maybe something has lied to us and is using the email account without your permission or in a way you weren't aware of.

Maybe it is a virus or an actual hack in progress!?

In the case of malicious activity you'd naturally and immediately upgrade your security i.e. change passwords and add multi-factor authentication (if not already in place).

The theory being that whatever is injecting the "sent items" into your account will then be denied access and, hopefully, the problem stops.

But that didn't work in this case, so it appeared that one of the legitimate business integrations was the cause.

As my customer thought back to when the problem started he realised he'd started using an app' on his phone that was supposed to help him with business. But it seemed unrelated to email (if I recall correctly).

The correlation seemed very suspect and once he'd logged into to email account and checked what third party app's had access it strongly looked like this app' was opperating outside of it's remit.

In the account there were also other third party systems and app's that had access that were either unusual, unwanted or obsolete...so those permissions were revoked aswell.

Once this had been done the problem stopped.

It hadn't been malicious, it was just very poor software doing something weird.

We got lucky at this stage. It wouldn't have been much longer before the next attempt to solve the problem would be to delete the email account and re-create it.

If that failed, and with problems like these were outside sources are the cause failure is an option, then things would get even more drastic e.g. never use that email address again, move to a new email host etc. etc.

So I guess the lessons here are:

1) Regularly check what has access to your email (and other) accounts.

Often we try things and then delete things but the badly behaved ones leave crap behind and keep on misbehaving.

2) Ensure multi-factor authentication is turned on for anything business critical or financial or otherwise important. This will help prevent "things" getting access getting access to accounts without you being asked for permission first.

3) Diarise / record changes you make to your accounts e.g. when you started using a new tool, when you deleted/stopped using a service etc.

Such records can help us correlate the start of a problem with the start of something else.

Have fun.

David