email forensics
& hidden traps

things 99% of users miss

📧 provider deep‑dive (hidden details)

Gmail / Google

  • Deleted filters: Attackers often create filters that auto‑archive or delete incoming emails from security teams. Check Settings → "Filters and Blocked Addresses" – look for filters with "Delete it" or "Skip Inbox".
  • Hidden forwarding: Under "Forwarding and POP/IMAP", enable "Disable forwarding" – even if it says disabled, check if any unknown address is listed.
  • App passwords: If you ever used app passwords, revoke all and generate new ones. Old ones may still work even after password change.
  • Less secure apps: Turn off "Allow less secure apps" – it's an ancient backdoor.
What pros check: Go to myaccount.google.com/device-activity – look for devices with "previous session" that you don't recognize. Also check "recovery phone" – attackers often add their own.
Nasty trick: Hackers set up "delegation" (allow another user to read your mail). Check under Settings → Accounts → "Grant access to your account".

Outlook / Hotmail

  • Inbox rules (the hidden gem): Go to Settings → Mail → Rules. Attackers create rules that move emails from security@ to deleted items or mark them as read. Remove any rule you didn't create.
  • POP/IMAP status: Under "Sync email", check if POP or IMAP is enabled – if you don't use it, disable. Attackers use POP to download all emails.
  • Forwarding: Outlook has a separate "Forwarding" option – make sure it's disabled or points only to you.
  • Session activity: Under "Security" → "Review recent activity" – look for sign‑ins from unusual locations or user agents.
Undocumented: Check "Connected apps" under https://account.live.com/consent/Manage – attackers sometimes register an app with mailbox access that survives password reset.

Yahoo Mail

  • Mail forwarding (hidden): Settings → "More Settings" → "Mailboxes" → your email → "Forwarding". Attackers often enable it and delete the confirmation email.
  • Filters (advanced): Yahoo allows filters that can redirect emails based on subject. Check every filter – delete any that forward to external addresses.
  • Account key: Enable "Account Key" (push‑based 2FA) – it's more secure than SMS.
  • Recent activity: At the bottom of Account Info, check "Recent activity" for IP addresses you don't recognize.
Yahoo specific: After a hack, check "App passwords" and revoke all. Some apps retain access even after main password change.

iCloud / Apple

  • Trusted devices: After recovery, go to appleid.apple.com → "Devices" – remove all devices you don't own. Attackers sometimes leave a device to regain access.
  • Mail forwarding (hidden): iCloud.com → Mail → settings (gear) → "Rules" – check for any forwarding rules. Also check "VIP" list.
  • Recovery key: Enable "Account Recovery Key" – a 28‑digit code that prevents social engineering.
  • Trusted phone numbers: Ensure no unknown numbers are listed. Attackers can add a phone and use SMS to reset password later.
iCloud+ hiding: Check "Hide My Email" addresses – if you see unknown addresses, revoke them.

🔍 things 99% of people don't know

persistence tricks

  • Read receipts / web bugs: Some hackers send emails with tracking pixels. After regaining access, don't open suspicious emails – they might confirm you're back.
  • Recovery email loop: If your recovery email was also hacked, change its password first, then secure primary. Attackers often chain accounts.
  • Email delegations (Gmail): Attackers add delegates that can read your mail without a password. Check under Settings → Accounts → "Grant access to your account".
  • API access: Revoke OAuth tokens for any app that has "read all mail" or "send mail as you".
Attackers often create a "vacation responder" to collect replies. Check auto‑responders too.

forensic deep clean

  • Export mail & logs: Before cleaning, export your emails and account logs (Gmail Takeout). You might need evidence later.
  • Search for attacker's traces: Search your inbox for "security", "alert", "password changed" – attackers often delete those. Check trash and spam.
  • Check "connected sites": For Gmail, check "Signing in with Google" – revoke any site you don't use.
  • Enable advanced protection: Google's Advanced Protection Program (hardware keys) makes it nearly impossible to get hacked again.
Nuclear option: If you suspect persistent access, create a brand new email address, migrate important contacts, and close the old one.

Gmail secret panels

  • Undisclosed forwarding: In Gmail, there's a hidden "Forwarding" option inside POP/IMAP that might show an address even if disabled. Always toggle off and on.
  • Account permissions (via G Suite): If you use G Suite, check admin console for delegated admins.
  • Country‑based filters: Check if attacker set up "deny access" rules for certain countries – you may be locked out.

Microsoft hidden

  • Legacy authentication: Disable legacy protocols (POP, IMAP, SMTP) if you don't need them – they bypass 2FA.
  • Mail flow rules (Exchange): If you have Exchange Online, check "mail flow rules" – they can redirect emails server‑side.
  • Passwordless account: After recovery, switch to passwordless (Microsoft Authenticator) for better security.

SIM swap – the ultimate hijack

If your phone number was used to reset email, you may be victim of SIM swapping. Contact your mobile carrier immediately, set a port‑out PIN, and move your number to a Google Voice or use a hardware token.

Call carrier fraud dept Remove number from 2FA Use authenticator app