How Do You Know If You're Being Targeted Right Now?

The average organization takes 246 days to identify a breach that started with stolen credentials. That is IBM's finding from their 2025 Cost of a Data Breach Report. Eight months of invisible access. Eight months where an attacker has what they need and is deciding when and how to use it.

That statistic is about enterprises, but the math applies to individuals too. Your credentials are either clean right now, or they are sitting in a criminal market and you have no idea. The breach notification, if it ever comes, arrives long after the window opened.

This post is about recognizing the signals of active targeting before anything breaks.

The Pre-Breach Window

In February 2025, Troy Hunt added 284 million email addresses and 244 million previously unseen passwords to Have I Been Pwned from a single dataset: 23 billion rows of infostealer logs scraped from a Telegram channel called ALIEN TXTBASE. One dataset. 1.5 terabytes. Millions of people whose credentials were harvested by malware running silently on their devices, packaged into a structured file, and sold for $10 to $100 per log on criminal markets.

Those logs hit those markets within hours of the infection. The credentials in them may sit unused for weeks or months before an attacker decides to act. KELA reported 2.67 million machines infected by infostealers in the first half of 2025 alone.

The pre-breach window is not hypothetical. It is the default state for a large percentage of people reading this right now.

Your Inbox Just Flooded. That's Not Spam.

One morning your inbox fills up. Hundreds of newsletter confirmations, subscription welcome emails, mailing list opt-ins from businesses you've never heard of. Your first instinct is that someone signed you up as a prank, or a bot hit your address, or it's just a bad spam day.

It is almost certainly none of those things.

This technique has a formal name: subscription bombing, catalogued by MITRE ATT&CK as Technique T1667: Email Bombing. Attackers use automated tools to register your email address with thousands of legitimate mailing lists simultaneously. Because each resulting email comes from a real business with valid authentication, it passes spam filters. The documented attack velocity: over 1,500 emails per hour.

The flood is not the attack. It is cover for the attack already in motion.

Sophos MDR documented this sequence in detail in their analysis of Black Basta ransomware campaigns, confirmed by CISA advisory AA24-131A: the attacker has already accessed your account or initiated a financial transaction. That action generates a transactional alert: a wire transfer confirmation, a "new device logged in" notification, a password reset email. The attacker triggers the subscription bomb at the same moment. Your real alert lands at position 847 in a flooded inbox. You frantically mark emails as spam. The critical one goes unread.

In the Black Basta campaigns, approximately 1,000 emails hit a single victim within 50 minutes. The flood was followed by a Microsoft Teams message from someone claiming to be IT support, offering to help fix the email problem, and requesting remote access via Quick Assist. Over 500 organizations were impacted globally. The HHS Health Sector Cybersecurity Coordination Center issued a formal sector alert specifically about this technique in March 2024.

The best defense against this technique is a set of inbox filters built before an attack happens: rules that automatically star or flag transactional emails from your bank, credit card, brokerage, and account providers so they surface regardless of inbox volume. A well-constructed filter set defeats subscription bombing before it starts. I'm putting the exact Gmail and Outlook filter setup together for a future post.

If your inbox floods unexpectedly and you don't have filters in place, do this before you clear a single email: Search for "password reset," "new sign-in," "transaction," "new device," and "authorization code." Check your financial accounts directly. Do not click any links in email. Do not accept any unsolicited phone call or remote access request from anyone claiming to help with the email problem.

What's Already in Your Accounts Right Now

The email flood is dramatic enough to notice, even if the signal gets misread. The more dangerous signals are the ones sitting quietly in your accounts right now.

Inbox rules you didn't create. After gaining access to an email account, attackers routinely create forwarding rules that send password reset emails, bank notifications, and security alerts to an external address or directly to your junk folder. Proofpoint found approximately 40% of compromised Microsoft 365 accounts had at least one malicious mailbox rule created post-breach. The critical detail: these rules survive a password reset. Changing your password does not remove them. An attacker can maintain persistent visibility into your email without ever logging in again.

Check:

• Gmail: Settings > See all settings > Filters and Blocked Addresses, and Forwarding and POP/IMAP
• Outlook: Settings > Mail > Rules

Sessions and devices you don't recognize. Every major platform logs your active sessions. Google shows every device signed into your account and the last location used. Microsoft flags impossible travel. Apple lists every device with your Apple ID. These pages exist. Open them.

Microsoft documented 147,000 token replay attacks in 2024-2025, up 111% year over year. In a token replay attack, the attacker uses a stolen session cookie to access your account from a different device, bypassing MFA (multi-factor authentication) entirely because authentication already happened. The evidence is visible in your account activity log.

Check:

• Google: myaccount.google.com/security-checkup
• Apple: appleid.apple.com
• Microsoft: account.microsoft.com > Security > Review recent activity

OAuth (Open Authorization) apps with permissions you didn't grant. OAuth lets third-party apps access your accounts without needing your password. Attackers add malicious OAuth apps after compromising an account, or socially engineer you into approving one. High-risk scopes: Mail.Read, Mail.ReadWrite, offline_access. An app with these permissions can read every email you receive indefinitely, regardless of password changes. The Microsoft Midnight Blizzard breach in January 2024 used a legacy OAuth application with excessive permissions to move through Microsoft's corporate environment. The same technique scales down to individual accounts.

Check:

• Google: myaccount.google.com/permissions
• Microsoft: account.microsoft.com > Privacy > App permissions

Unexpected MFA push requests. A single unexpected push notification from your authenticator app means someone has your username and password and is attempting to log in right now. Multiple requests in quick succession mean they are trying to push you into approving through fatigue. Do not approve. Change your password immediately. Check account activity.

What You Can Actually Monitor

Knowing what to look for only matters if you have the tools to look. The landscape for individuals shifted in early 2026: Google One's dark web monitoring, which scanned for names, emails, phone numbers, and SSNs, was shut down on February 17, 2026. If you relied on it, you have a gap. Here is what remains:

Have I Been Pwned is the most reliable free option. Run every email address you use. As of early 2025 it includes infostealer log data, not just traditional breach records. If your address appears in stealer log results, your credentials were harvested from a device, not just included in a database dump. That is a higher-severity signal.

Mozilla Monitor provides real-time breach alerts for up to 20 email addresses. Free. The paid data broker removal tier was shut down in December 2025, but the breach monitoring core continues.

Apple's built-in password alerts flag compromised credentials stored in the Passwords app using a privacy-preserving k-anonymity check. If you store passwords in iCloud Keychain, these alerts fire automatically.

Carrier SIM locks are free and not enabled by default. AT&T's Wireless Account Lock, T-Mobile's SIM Protection and Port Out Protection, and Verizon's Number Lock and SIM Protection all prevent the kind of carrier social engineering that preceded the SEC's X account SIM swap in January 2024. Enable them now, before you need them.

Bank and card transaction alerts set to fire on every transaction are the closest individual equivalent to enterprise security monitoring. Set the threshold to $0 in your banking app to catch any charge.

The Routine

The difference between someone who catches an attack in progress and someone who finds out eight months later is not skill. It is the habit of looking.

If something has already moved past the signals stage, the post-breach checklist covers the response sequence for accounts under active threat. The account security hygiene guide covers the foundational setup that makes this monitoring routine faster to run.

The pre-breach window is real. You are either outside it or inside it, and right now you probably don't know which.