Acc hacked

Hi Vivian,

yes that is my email address but with capital letter.

and i had checked the forwarding setting it is off and also don't have any others email inside the rules as well.

but i saw X-SID-Result: FAIL, which mean that is failed and is a scam email is it?

and i also saw Authentication-Results: spf=fail (sender IP is 194.87.33.38)

also Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not designate 194.87.33.38 as permitted sender) receiver=protection.outlook.com; client-ip=194.87.33.38; helo=me1577.com;Received: from me1577.com (194.87.33.38) by

Also, i will attach the photo it shown a ❓ mark there which mean unverify.

conclusion, so for right now , this is a phishing scam email, am i right?
really worry about it ,it related to my family as well.

thanks in advance .

Hi TEO Bs,

Thank you for responding to let me know more about your situation.

X-SID-PRA: @HOTMAIL.COM——@HOTMAIL.COM Is this your outlook account please? If not, then this could be the hacker's actual email address, which you can add to the blocked senders and report this email to abuse@ outlook.com. If this is your own email address then it could be the hacker performing an automatic forwarding operation. You can check this by doing the following:

I know it shouldn't be possible for you to manually perform this action yourself so that you can check if someone has changed your email forwarding settings and rules.

1. Sign in to Outlook Web.
2. Click the gear icon in the top right corner to enter the email settings.
3. Go to Mail > Forwarding and make sure forwarding is turned on.
4. Go to Mail > Rules and make sure that forwarding rules are configured.

I'm sure this can't be a forwarding process that you set up yourself, so disable it and delete any email addresses you don't recognize.

If you would like to view the login activity log, you can click: https://account.live.com/activity

There is another way to prevent hackers from logging into your account:

Remove the login permissions for your current account name.

This issue can be very effective in stopping intruders who already know your account name. To do this, click on this link (https://account.microsoft.com/)and sign in to your Microsoft account, then click [Your Info] on the left and then [Edit account info] on the right side of the screen that opens. In this interface, you can add an alias for your account as a new login name.

Due to the current security risks associated with your account, I recommend that you create an alias with a outlook.com extension that doesn't require authentication. (If you are using the custom alias below, you will be prompted to verify that this alias exists. Only actual mailboxes can be added as aliases.) You will then need to click [Make Primary] to the right of your new alias to make it the primary alias.

To add aliases if you still don't understand them, see Add or remove an email alias in Outlook.com - Microsoft Support

Important: After adding a new primary alias, please do not delete your original primary alias, especially not the email address of the Microsoft domain name, after deletion the account will be completely deleted, as well as all Microsoft products purchased through the account, this process is irreversible, once again, do not delete the original primary alias!

After that, click [Change sign-in preferences] at the bottom to remove the checkmark in front of your current account name. You have successfully removed the login permissions for your account name. You can test this by typing your account name into the login screen, where Microsoft will alert you that the username doesn't exist, which will prevent you from logging in, which is the same as someone trying to hack into your account. Please note that in this case, you will not be able to log in yourself with this account name. Please remember your changed account name. In addition, we have tested that you can still send and receive emails with this account name, and that the sender can use your account name as the recipient of the email and that the email functionality is not affected.

Right now, as soon as you remove email addresses (from hackers) that you don't recognize, you're completely blocking the forwarding behavior, which is by far the most important and effective thing for you! 😊

Thank you for your patience and support. I hope the above information is helpful to you. Feel free to let me know how it went by answering below.

Best regards

Vivian - MSFT | Microsoft Community Support Specialist

Hi Vivian, do you mean this?
X-SID-PRA: ******@HOTMAIL.COM ?

then next sentence is shown failed, can you help me check for it?

But that is exactly my email, just with capital letter only and i try to put XXXX

Received: from SEZPR04MB5947.apcprd04.prod.outlook.com (::1) by TYZPR04MB4349.apcprd04.prod.outlook.com with HTTPS; Sat, 14 Sep 2024 10:18:14 +0000 Received: from AM0PR06CA0120.eurprd06.prod.outlook.com (2603:10a6:208:ab::25) by SEZPR04MB5947.apcprd04.prod.outlook.com (2603:1096:101:66::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.21; Sat, 14 Sep 2024 10:18:12 +0000 Received: from AMS0EPF000001B0.eurprd05.prod.outlook.com (2603:10a6:208:ab:cafe::e8) by AM0PR06CA0120.outlook.office365.com (2603:10a6:208:ab::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.28 via Frontend Transport; Sat, 14 Sep 2024 10:18:11 +0000 Authentication-Results: spf=fail (sender IP is 194.87.33.38) smtp.mailfrom=hotmail.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=hotmail.com;compauth=fail reason=001 Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not designate 194.87.33.38 as permitted sender) receiver=protection.outlook.com; client-ip=194.87.33.38; helo=me1577.com; Received: from me1577.com (194.87.33.38) by AMS0EPF000001B0.mail.protection.outlook.com (10.167.16.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.13 via Frontend Transport; Sat, 14 Sep 2024 10:18:11 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:E7BD9B0759F285CD5BB068DC1F5244C5CC168A7F3F5B281E76AFBB3CC736C297;UpperCasedChecksum:27412AB58249E99844BF08D20B4179935DF536E8CE8B3985C03760BABE612CE8;SizeAsReceived:303;Count:7 Message-ID: <******@hotmail.com>

X-IncomingHeaderCount: 7 Return-Path: ******@hotmail.com X-MS-Exchange-Organization-ExpirationStartTime: 14 Sep 2024 10:18:11.9615 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 8c2d3666-a586-4913-aac1-08dcd4a689b2 X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS0EPF000001B0:EE_|SEZPR04MB5947:EE_|TYZPR04MB4349:EE_ X-MS-Exchange-Organization-AuthSource: AMS0EPF000001B0.eurprd05.prod.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-UserLastLogonTime: 9/14/2024 8:45:30 AM X-MS-Office365-Filtering-Correlation-Id: 8c2d3666-a586-4913-aac1-08dcd4a689b2 X-MS-Exchange-EOPDirect: **true X-Sender-IP: 194.87.33.38 X-SID-PRA: ****@HOTMAIL.COM X-SID-Result: FAIL X-MS-Exchange-Organization-SCL: -1 X-Microsoft-Antispam: BCL:0;ARA:1444111002|970799054|58200799015|47200799018|9800799012|7072599003|461199028|2700799026|6115599003|7310799015|1370799030|1360799030|1290799027|7112599012|6022199012|3412199025|440099028|2980499032|1710799026; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2024 10:18:11.7427 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8c2d3666-a586-4913-aac1-08dcd4a689b2 X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF000001B0.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SEZPR04MB5947 X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.8163134 X-MS-Exchange-Processed-By-BccFoldering: 15.20.7962.017 X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:I;ENG:(5062000308)(920221119095)(90000117)(920221120095)(90005022)(91005020)(91035115)(9050020)(9100341)(1018006)(944500132)(2008001181)(2008121020)(4810010)(4910033)(9620004)(9525003)(10150021)(9320005)(120001); X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD02 X-Microsoft-Antispam-Message-Info:

what should i do, is it really being hacked? can i check activity log more than 3 months ago?

Hi TEO Bs,

Thank you for using Microsoft products and posting in the community.

I realize you received an email from yourself, it was the work of a hacker and I totally put myself in your shoes and understand how you feel.

First of all, I need to explain to you: because the sender's address in the mail header is forged, the fraudster makes the victim believe that his mailbox ‘has been controlled’ by forging the sender's mailbox as the victim's incoming mailbox so that the victim receives an ‘email from himself’. This is to make the victim believe that their mailbox ‘has been controlled’ to achieve the purpose of fraud.

If this email is a threatening scam email, then you should remember not to click on any links in the email, not to reply, and not to make payments to unfamiliar accounts, in order to avoid receiving threats that could result in loss of accounts or funds. As mentioned before, the header of SMTP protocol can be constructed arbitrarily, so its ‘From:’ field can be modified arbitrarily, and it will be shown as any sender (e.g. yourself) in the email, you can log in to your email at outlook.com(https://outlook.live.com/) and on the web side, follow the following [View email source] and find [X-SID-PRA] followed by the actual sending email address

Also, you should not be able to move this email to "Spam" because the sender of this email is yourself (by the hacker), so you cannot directly report it as spam or move it to the spam folder, don't worry I will provide you with two options:

1. you can report it to your local police or the Cybercrime Reporting Center.
2. To report the discovery of illegal, unwanted, unwanted, or malicious email messages from a Outlook.com, Hotmail, Live, or MSN account, forward a full copy of the invasive email, including the full headers, to ******@outlook.com. Sending these types of communications violates Microsoft policies, and Microsoft will take appropriate action for confirmed reports with appropriate actions.

I presume that the hacker is constantly trying to attack your account (but I can't guarantee that he's been successful), which is consistent with what you mentioned when you checked the recent activity logs for the last 3 months, which showed that everything was a failed login. For the sake of your account security, you can't take this lightly and always be on the lookout for your account being hacked. This is because if similar scam emails are sent over and over again, the server may automatically determine that your emails are behaving abnormally, which is exactly what hackers want😡!

Don't worry, the hacker can't actually use your email, they'll use some masking tools to disguise your email. But more importantly, you need to take steps to prevent your account from being compromised. I recommend verifying your account for sensitive information, such as the presence of alternative aliases or authentication methods.

Please refer to: How to help keep your Microsoft account safe and secure - Microsoft Support

Thank you for your patience. I hope you find the above answers helpful, and if you have any questions or concerns, please feel free to contact us! 😊

Best regards

Vivian - MSFT | Microsoft Community Support Specialist