![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 1%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 98%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Hi @Vanja Kralj,
Welcome to Microsoft Q&A forum.
Thank you for reaching out and I’m sorry that you’re experiencing this issue. I understand how concerning it is to see emails being sent without your knowledge. You did the right thing by changing your password and signing out of all devices, and I want to acknowledge that these were excellent first steps toward securing your account.
Even with those steps completed, the issue can still continue because the emails appearing in your Sent Items indicate that your mailbox was actively being used to send spam, not just spoofed from outside. This usually means the attacker may still have had some level of access or left behind something that continues to operate in the background. A password change alone doesn’t always fully stop this, as attackers often create hidden inbox rules, turn on automatic forwarding, grant permissions to malicious apps, or continue using valid refresh tokens that remain active until manually revoked.
Here are recommend steps you can safely do yourself:
1. Check for suspicious inbox rules
Attackers often create rules that automatically move or send messages.
- Go to Outlook Web: https://outlook.office.com
- Select Settings > Mail > Rules
- If you see any rule you don’t recognize, delete it.
2. Check automatic email forwarding
- In Outlook Web, go to Settings > Mail > Forwarding
- Ensure forwarding is turned off
- Remove any address you did not set up
3. Review devices connected to your account
- Go to: https://account.microsoft.com
- Select Devices
- Review all connected devices
- Remove anything you don’t recognize
4. Turn on two‑step verification (highly recommended)
- This helps block attackers even if they know your password. You can turn this on under: Security Info > Add sign‑in method > Microsoft Authenticator.
5. Run a full malware scan on all your devices
Please check:
- Your computer
- Your mobile phone
- Any other device where the account is used Use updated antivirus software and run a full scan.
6. Change your password again after cleaning your devices
This helps remove any remaining old sessions.
Here ae steps your IT department should handle:
(If this is a work or school account)
1. Check for hidden or server‑side forwarding rules
These rules don’t appear in the user interface and must be checked by an admin.
2. Check for suspicious sign‑ins or unauthorized access
Admins can review sign‑in logs, legacy protocol usage, and app passwords in the Microsoft 365 admin center.
Reference: What are Microsoft Entra sign-in logs?
3. Reset or revoke compromised sessions
Admins can force a global sign‑out to invalidate all remaining refresh tokens.
4. Verify mailbox access from unknown countries or apps
This requires admin-level audit tools.
5. Apply stronger security policies
For example:
- Disable legacy authentication
- Enforce MFA for all users
- Apply conditional access policies
If the issue persists:
- Please contact the IT security team to review the account for possible policy restrictions, mailbox rules, or compromised settings.
- If the IT team is unable to identify the issue, they can raise a support ticket from the Microsoft 365 admin center so Microsoft Support can investigate further.
I hope this information helps. Please try the steps and let me know whether they resolve the issue. If the problem persists, we can work together to find a solution.
As other users will also search for information in this community, your vote can significantly help those with similar inquiries quickly locate the most relevant resources.
Thank you for your kindness and for contributing to the forum.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.