Mailbox takeover is unauthorized control of an email account. An attacker may gain access by stealing a password, abusing a reset flow, hijacking a session, or tricking a user into approving a sign-in. Once inside, the attacker can read messages, send mail as the victim, change recovery settings, and hide legitimate alerts.
It matters because email is often the root of organizational trust. A taken-over mailbox can reveal conversations, contact lists, attachments, and internal processes, and it can be used to impersonate the owner in spearphishing, invoice fraud, or further account compromise. In defense, teams look for impossible travel, new forwarding rules, suspicious OAuth grants, and repeated login failures. Phishing-resistant MFA, strong recovery controls, and mailbox auditing reduce the chance that one compromised inbox becomes a wider breach.



