Email hacked

Hi @Ken Billburg, 

Good day, and I appreciate the detailed description of your issue.  

When an account is compromised, the attacker often deletes or moves messages to hide activity, and they may also create inbox rules or enable forwarding so that messages continue to be redirected even after the password is changed. In addition, existing sign in sessions can remain active until they are explicitly revoked, which is why a password change by itself may not fully stop the unauthorized access.  

Please follow the steps below, as they are designed to fit this situation and to help secure the mailbox while also attempting mailbox recovery. 

1/ Contain the compromise and prevent repeated access 

• Temporarily block sign in for the affected user account while the review is completed, and then reset the password to a strong and unique value.  
• Revoke active sign in sessions for the user so any existing access is invalidated immediately.  
• Review the user’s registered multifactor authentication methods and remove anything unfamiliar, then require the user to register MFA again before returning the account to normal use.  
• Review applications with user consent and remove any that should not be allowed, since consented applications can be used to maintain access.  
• Reference: Responding to a Compromised Email Account - Microsoft Defender for Office 365 | Microsoft Learn 

2/ You can try to run Message Trace and review Audit Logs  

• Please involve your tenant admin to run a message trace in the Exchange Admin Center (EAC). This will help determine whether the email was ever received by EOP and provide visibility into its delivery status. Run a message trace and view the results in the Exchange admin center in Exchange Online | Microsof…  
• If the trace shows no record of the email, it confirms that the message did not reach Exchange and may have been blocked or failed at the connector level.   
• Review Audit Logs in Microsoft Purview to identify any unusual activity or configuration changes. 

For your reference: Search the audit log | Microsoft Learn 

3/ Check and remove suspicious mailbox rules and forwarding in Outlook on the web 

• Sign in to Outlook on the web, open Settings, and then go to Mail and Rules so you can review all inbox rules.  
• Disable or delete any rule you did not create, especially rules that forward, redirect, delete, or move mail to unexpected folders. 
• In Outlook settings, check whether forwarding is enabled and turn it off if it points to an address you do not recognize.  
• After changes are saved, sign out and then sign back in to confirm the suspicious behavior has stopped and mail is arriving normally.  
• Reference: Manage email messages by using rules in Outlook - Microsoft Support 

4/ Recover the deleted inbox data and escalate recovery when needed 

• In Outlook on the web, open Deleted Items and restore any messages that are still present.  
• While still in Deleted Items, select Recover items deleted from this folder, choose the items you need, and restore them.  
• If the items do not appear in either location, the next option is administrator assisted recovery, because users cannot recover items that have already been purged, but administrators may be able to recover them if the retention period has not expired.  
• Once recovery is completed, review Sent Items and recent activity to identify the unauthorized messages so you can notify affected clients appropriately.  
• Reference: Recover and restore deleted items in Outlook - Microsoft Support 

5/ Contact IT administrator:   

Since your account is managed by your organization, please contact your IT administrator to review your permissions and policies. If the issue persists after these checks, ask your IT administrator to submit a support request directly to Microsoft Support team.        

They can raise a support ticket by visiting: Get support - Microsoft 365 admin | Microsoft Learn  

As community moderators, we appreciate your understanding that our access to internal development details is limited. Our primary role is to guide users toward the appropriate resources and support channels. While we may not have visibility into deeper backend analysis, we’ll continue doing our best to support you within the scope of our responsibilities.      

I hope this information is helpful. Please follow these steps and let me know if it works for you. If you have any updates regarding the issue, please feel free to share them with me.        

Thank you for your patience and your understanding. I look forward to continuing the conversation.  

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment”.     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

For a compromised Microsoft 365 work mailbox, changing the password is only one of several required steps.

1. Secure the account and environment
   1. Disable or lock the affected user account temporarily until the investigation is complete, or at minimum reset the password to a strong, unique value and do not send it by email.
   2. If the account is synced from on-premises Active Directory, reset the password there (twice, per guidance) using tools such as Set-ADAccountPassword.
   3. Enable and enforce multifactor authentication (MFA) on this account and, ideally, on all accounts, especially admins.
   4. Revoke active sign-in sessions so any stolen tokens are invalidated. In Microsoft 365, this can be done via Microsoft Graph PowerShell using Revoke-MgUserSignInSession after connecting with the appropriate scopes.
   5. Ensure all devices the user employs (PC, laptop, mobile) are scanned for malware with up-to-date antivirus before allowing sign-in again.
2. Remove attacker persistence in mail and account settings
   1. In Outlook on the web and/or via Exchange/Defender tools, check for and remove:
      • Suspicious inbox rules (especially ones that forward mail externally or move mail to unexpected folders like Notes, RSS, or Junk).
      • Any newly configured external forwarding on the mailbox.
      • Suspicious automatic replies or signatures.
   2. In Microsoft 365, also review:
      • Connected accounts and app permissions; revoke anything not recognized.
      • Any changes to the user’s contact details in the Global Address List (name, phone, address).
3. Investigate the scope of compromise
   1. Use Microsoft Entra sign-in logs and risk reports to review:
      • IP addresses, locations, times, and success/failure of sign-ins around the time of the incident.
   2. Use audit logs in the Microsoft Defender portal and Azure audit logs to identify what actions were taken while the account was compromised.
   3. Use Message Trace and the Sent Items folder to see which bogus emails were sent so affected clients can be notified and warned not to trust those messages.
4. Restore email sending and normal operation
   1. If the mailbox was used to send spam, Microsoft 365 may have blocked it from sending email. In that case, remove the user from the Restricted entities list as described in the outbound spam remediation guidance.
   2. After the investigation and cleanup, re-enable the account (if it was disabled) and confirm that:
      • No malicious rules or forwarding remain.
      • MFA is enforced and working.
5. Recover deleted inbox mail
   1. If the attacker deleted messages, recovery options depend on retention settings:
      • First, check the user’s Deleted Items and Recoverable Items (Recover Deleted Items) in Outlook/Outlook on the web.
      • If the mailbox is under a retention policy, litigation hold, or has sufficient deleted item retention configured, an Exchange or Microsoft 365 admin may be able to recover items beyond what the user sees. This is done via admin tools and eDiscovery/Content Search, not described in detail in the provided context but is the standard Microsoft 365 approach.
   2. If no retention/hold was configured and deleted items are past the retention window, full recovery of the entire inbox may not be possible.
6. Communicate with clients
   1. Inform affected clients that the mailbox was compromised and that they should ignore or delete the bogus emails.
   2. Advise them not to click links or open attachments from those messages.

For future protection, ensure MFA is enforced tenant-wide, monitor sign-in and audit logs regularly, and review outbound spam and forwarding policies.

References:

• How to recover a hacked or compromised Microsoft account
• Respond to a compromised cloud email account
• My account got hacked - Microsoft Q&A
• Cannot Access Microsoft Account After Hacker Changed Email, Advice Needed - Microsoft Q&A
• hello my email was (Moderator note: PII removed)@icloud.com and now its (Moderator note: PII removed)@jerkoffmail.com can please someone help me and the team change it my username in xbox is (Moderator note: PII removed) please help me team and change it - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A