Skip to content

Account compromise

The Account compromise setting helps you detect when a user's account may be compromised. You can configure email notifications to alert administrators or key users as soon as Sophos flags suspicious activity. This allows them to respond quickly and help prevent a major security breach.

Sophos Central monitors email activity to detect unusual behavior that may indicate a compromised account. For example, Sophos Central flags the activity if a user suddenly sends an unusually high volume of emails or shows patterns that differ from their normal behavior. It then notifies the recipients you've configured.

Alerts and email notifications

When Sophos Central detects suspicious outbound email from a monitored user, it triggers an alert and notifies the administrator.

An alert is triggered due to an account compromised.

Sophos Central also sends an email notification to the users you've configured to receive them. Each email notification includes key details such as the affected user's information, the reason for the alert, and recommended steps to secure the account. For details, see example screenshot.

Account compromise email notification.

If the user continues to send emails while flagged as compromised, Sophos Central sends repeat alerts every 30 minutes.

Configure account compromise notifications

You can configure email notifications to alert administrators or key users in your organization when an account may be compromised.

To do this, do as follows:

  1. In Sophos Central, go to My Products > Email Protection > Business Email Compromise > Account compromise.
  2. In the User list, select the users you want to notify if an account is compromised.
  3. Move the users to the Notify users list.
  4. Click Save.

You've now configured the selected users to receive email notifications. They'll get an email if any of the monitored accounts are flagged as compromised.