Emails overwritten by scam email/[Draft] scam email keeps coming back

Question

Emails overwritten by scam email/[Draft] scam email keeps coming back

Andrew L 25

My emails keep getting overwritten by a scam email whenever they get to my inbox. I also keep getting a [Draft] email with the scam email in my inbox even after deleting it. There's no rules, no connected apps, forwarding is turned off, I've tried all the methods to fix it that are online and nothing is working. It happens on the email app and web browsers, in Incognito mode and regular mode.

When I try to reach out to support it just keeps telling me to sign-in and when I sign-in it tells me I need to sign-in. I can't seem to get connected to any support services. It's very frustrating.

Matt G 15 Reputation points

2026-03-01T16:52:55.1166667+00:00

Hello, I seem to have stumbled upon a proper solution.

I did everything suggested in all of these posts and nothing worked. I was still getting spam drafts, and legitimate incoming emails were being converted to the phishing email text.

Signing out of everything, changing all my passwords, deleting a rule that had been assigned to my email, removing a passkey the scammers had added to my login methods, and logging into my Microsoft account and going Privacy>Apps and Services>App Access and removing access to any app I didn't immediately recognise stopped the flow of spam out of my account. (I'm sorry, I can't recall how to do everything exactly - it's 4am and I need to go to bed. There's advice online if you search for what you're after)

I'm not sure if this helped so maybe do it last if you need to, but I went into the To-Do app (a 'tick' symbol' on the left-hand sidebar in the Outlook for Windows app) and downloaded an auto-clicker app so I could walk away from my PC and check off every one of the 1500 flagged spam emails I had in there. I had no 'to-do' items, but I figured it couldn't hurt.

The REAL game changer was downloading Outlook Classic

https://support.microsoft.com/en-au/office/install-or-reinstall-classic-outlook-on-a-windows-pc-5c94902b-31a5-4274-abb0-b07f4661edf5

and MFCMapi (there's a few versions, 64bit was the one I needed)

https://github.com/microsoft/mfcmapi/releases/tag/25.0.25267.02

Outlook Classic tries to block you with a window asking you to pay for Office365, but I found that you can simply ignore it, click the email window, and still use the app as normal.

Once Outlook Classic is installed and you've added your affected email address to it, you can press WIN+R and type in outlook /cleanrules to wipe all rules from the default email.

Then open MFCMapi and follow this guide up to STEP 11:

https://learn.microsoft.com/en-us/archive/blogs/hkong/how-to-delete-corrupted-hidden-inbox-rules-from-a-mailbox-using-mfcmapi

If Outlook Classic is set as your default email app, MFCMapi should automatically locate it. It won't work with the Outlook for Windows app. I found that I didn't need to change anything, just install Outlook Classic and it worked straight away.

I found no hidden rules, BUT I did find several lines that were timestamped yesterday - the day my account was invaded. The additions before that were from at least 6 years prior so it made me suspicious. After a fair bit of deliberation I right-clicked and deleted all of lines added yesterday.

I then forced a few emails into my inbox by trying to change my passwords, and voila. No more spam, no more changes to the content.

As far as I can tell, any emails that have been changed are gone for good. I'm guessing they're all requests for confirmation for password changes so I'd suggest keeping them as a record of all the accounts you're probably going to want to change the passwords to.

I hope this works for you.
Hornblower409 5,895 Reputation points

2026-03-01T18:42:04.95+00:00

@Matt G
Thank you for reporting back on what worked for you. I am glad you found a fix for your account.

But I would warn anyone else trying to copy your technique that MFCMAPI can be very dangerous.

https://robert365.com/article/hidemovedeletemfcmapi

Warning! MFCMapi is a low-level mailbox editing tool. It’s designed for expert users and developers only so pretty much all safety nets are missing and making a mistake could result in total destruction of your mailbox data.
Hornblower409 5,895 Reputation points

2026-03-01T18:56:01+00:00

@Matt G said

I found no hidden rules, BUT I did find several lines that were timestamped yesterday - the day my account was invaded

Were the items you found in the Inbox Hidden contents? If not, do you remember where you found them and what item type they were?

I ask because I'm wondering if using the Classic Outlook Outlook.exe /cleanrules command might have done the same thing you did with MFCMAPI.

https://learn.microsoft.com/en-us/answers/questions/4545369/clear-all-outlook-rulesat-once
Matt G 15 Reputation points

2026-03-01T23:51:53.4133333+00:00

@Hornblower409

Yes.

Step 11 of the guide I linked above takes you to the 'Inbox hidden contents' folder.

I ran both outlook /cleanrules and outlook.exe /cleanrules before I attempted anything with MFCMapi and neither stopped the self-replicating drafts or the conversion of the content of incoming emails.

Only one of the suspicious lines I found in the Inbox Hidden Contents folder had the word 'rule' in it, and it wasn't deleted by the above commands. The ones I deleted were all created on the day I began having issues. Every other line was created between 7-10 years earlier, so it was extremely likely that these new lines that just happened to be created on the exact same day my account was overrun weren't critical to Outlook's normal operation. I was already facing abandoning the unusable account anyway, so the choice was between ruining an already broken account, or saving 15 years of digital life and restoring access to every online login I use that account for.

It turned out to be a good guess, but a guess nonetheless. I strongly advise against anyone deleting anything timestamped outside of the timeframe of their ordeal. To reiterate - all incoming emails into my account were having their content converted and were effectively unreadable. I addressed the problem on the same day it occurred, so no changes beyond the problems I'd encountered had taken place. If this is not your issue or your situation, more caution may be appropriate.
Hornblower409 5,895 Reputation points

2026-03-02T00:44:56.5233333+00:00

@Matt G said

I ran ... outlook.exe /cleanrules before I attempted anything with MFCMapi and [it did not fix the problems]

Than you for the detailed report. Appreciate the time you took to do the write-up.

Not what I expected. And now the situation is even more confusing that before.

We have some users who fixed the problem with only "The Usual Suspects" for a case like this (Sign-out everywhere, remove any app access, delete any visible Rules, etc.). Others who had to use outlook.exe /cleanrules in addition to everything else. And now, at least in your case, even that wasn't enough.

All I can suggest is that any user who gets hit by this plague use the Microsoft Feedback process to report the problem. The more users who report it, the better the chances that Microsoft will notice.

https://support.microsoft.com/en-us/office/how-do-i-give-feedback-on-microsoft-365-2b102d44-b43f-4dd2-9ff4-23cf144cfb11

MS 365 Subscriber Support
https://www.microsoft.com/en-us/microsoft-365/support

All others
https://support.microsoft.com/home/contact

5 answers

Your answer

Hornblower409 5,895 Reputation points

2026-03-01T18:42:04.95+00:00

@Matt G
Thank you for reporting back on what worked for you. I am glad you found a fix for your account.

But I would warn anyone else trying to copy your technique that MFCMAPI can be very dangerous.

https://robert365.com/article/hidemovedeletemfcmapi

Warning! MFCMapi is a low-level mailbox editing tool. It’s designed for expert users and developers only so pretty much all safety nets are missing and making a mistake could result in total destruction of your mailbox data.
Hornblower409 5,895 Reputation points

2026-03-01T18:56:01+00:00

@Matt G said

I found no hidden rules, BUT I did find several lines that were timestamped yesterday - the day my account was invaded

Were the items you found in the Inbox Hidden contents? If not, do you remember where you found them and what item type they were?

I ask because I'm wondering if using the Classic Outlook Outlook.exe /cleanrules command might have done the same thing you did with MFCMAPI.

https://learn.microsoft.com/en-us/answers/questions/4545369/clear-all-outlook-rulesat-once
Matt G 15 Reputation points

2026-03-01T23:51:53.4133333+00:00

@Hornblower409

Yes.

Step 11 of the guide I linked above takes you to the 'Inbox hidden contents' folder.

I ran both outlook /cleanrules and outlook.exe /cleanrules before I attempted anything with MFCMapi and neither stopped the self-replicating drafts or the conversion of the content of incoming emails.

Only one of the suspicious lines I found in the Inbox Hidden Contents folder had the word 'rule' in it, and it wasn't deleted by the above commands. The ones I deleted were all created on the day I began having issues. Every other line was created between 7-10 years earlier, so it was extremely likely that these new lines that just happened to be created on the exact same day my account was overrun weren't critical to Outlook's normal operation. I was already facing abandoning the unusable account anyway, so the choice was between ruining an already broken account, or saving 15 years of digital life and restoring access to every online login I use that account for.

It turned out to be a good guess, but a guess nonetheless. I strongly advise against anyone deleting anything timestamped outside of the timeframe of their ordeal. To reiterate - all incoming emails into my account were having their content converted and were effectively unreadable. I addressed the problem on the same day it occurred, so no changes beyond the problems I'd encountered had taken place. If this is not your issue or your situation, more caution may be appropriate.
Hornblower409 5,895 Reputation points

2026-03-02T00:44:56.5233333+00:00

@Matt G said

I ran ... outlook.exe /cleanrules before I attempted anything with MFCMapi and [it did not fix the problems]

Than you for the detailed report. Appreciate the time you took to do the write-up.

Not what I expected. And now the situation is even more confusing that before.

We have some users who fixed the problem with only "The Usual Suspects" for a case like this (Sign-out everywhere, remove any app access, delete any visible Rules, etc.). Others who had to use outlook.exe /cleanrules in addition to everything else. And now, at least in your case, even that wasn't enough.

All I can suggest is that any user who gets hit by this plague use the Microsoft Feedback process to report the problem. The more users who report it, the better the chances that Microsoft will notice.

https://support.microsoft.com/en-us/office/how-do-i-give-feedback-on-microsoft-365-2b102d44-b43f-4dd2-9ff4-23cf144cfb11

MS 365 Subscriber Support
https://www.microsoft.com/en-us/microsoft-365/support

All others
https://support.microsoft.com/home/contact

Answer 1

John Jefferson Doyon 62,215 Independent Advisor

Hi, I'm John! I will help you with this.

If you haven't tried anything yet please start by running a full antivirus scan on your computer using Windows Security and any third-party antivirus software you have.

To be safe, I recommend the following steps:

Check your account rules and forwarding settings, hackers create rules that automatically forward or delete emails. You can do this in Outlook settings under Mail > Rules and Forwarding. https://support.microsoft.com/office/manage-email-messages-by-using-rules-in-outlook-c24f5dea-9465-4df4-ad17-a50704d66c59

Just to be safe, I’d recommend to sign out everywhere. Visit: https://account.live.com/proofs/manage/additional Scroll down to Sign me out and select "Sign me out".

And changing your password again and enabling two-step verification if you haven’t already. This will add an extra layer of security to prevent future unauthorized access.

If you notice anything unusual in your account settings or purchase history, you might also want to check the Microsoft account security page https://account.microsoft.com/security to review recent activity.

"How to help keep your Microsoft account secure" https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9

I really hope this information is helpful! Let me know if you have any further questions or concerns.

Regards,

John J.D.

Andrew L 25 Reputation points

2026-02-21T20:54:48.5166667+00:00

I've already done all that and it hasn't fixed anything.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-21T20:56:28.6866667+00:00

Could you share a screenshot of the actual draft scam message you're seeing? Thanks.
Andrew L 25 Reputation points

2026-02-21T20:59:42.75+00:00

emails to my inbox are immediately overwritten and I keep getting a "[Draft]" with the same thing.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-21T21:18:36.1233333+00:00
Thank you for letting me know.

In some cases, Remote Access Trojans (RATs) are used in more sophisticated attacks to compromise Outlook accounts. These can allow attackers to manipulate emails, create drafts, and send scam messages without your permission.

For now, I strongly recommend isolating the device where you are currently signed in to Outlook. If possible, please disconnect it from the internet until we complete the checks.

Next, please run a full deep scan using a trusted security tool:

Download and run Microsoft Safety Scanner here: https://learn.microsoft.com/defender-endpoint/safety-scanner-download

After running the scan, please restart your PC and monitor whether the issue continues.

In addition, please make sure to:

Update Windows and all security software.

Remove any unknown programs or browser extensions.

Avoid signing in to your email on this device until it is confirmed clean.

Let me know how it goes or if you have any further questions or concerns.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-21T21:20:58.0933333+00:00

Your screenshot contains personally identifiable information, such as an email address. Please edit your response and delete the image. Thanks.
Andrew L 25 Reputation points

2026-02-21T22:02:36.11+00:00

I deleted the personal information. How do I fix this? There's no apps connected, no rules that I can find, forwarding is off, all the things you said I have done, and I erase the one that says [Draft] and immediately a new one appears in the drafts folder for a very quick moment then goes to the inbox and any new email is automatically changed, to what you can see there.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-21T22:06:14.72+00:00

Thank you for editing the PII and letting me know. Please follow the next steps I mentioned about running Microsoft Safety Scanner, and let me know how it goes.
Andrew L 25 Reputation points

2026-02-22T16:17:07.0533333+00:00

I think that may have fixed it, or one of the many things I tried all day. The [Draft] hasn't come back and my new emails are not being changed so far. Thank you for the help.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-22T21:23:01.0966667+00:00

Glad to assist!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
John Jefferson Doyon 62,215 Reputation points Independent Advisor

2026-02-23T01:03:53.5866667+00:00

I am glad that worked!

If you don't have any more questions, if you'd like, you can click "Yes" below the response that provided the helpful solution. This way, any users who come across this thread with similar issues will find the steps and benefit as well. Thank you!
Hornblower409 5,895 Reputation points

2026-02-23T01:18:27.8266667+00:00

@Andrew L said

I think [Microsoft Safety Scanner] may have fixed it

If you would please, to help us understand the problem better:

Microsoft Safety Scanner should have generated a log file at:
C:\Windows\debug\msert.log
Could you examine that file in Notepad and report on what, if any, malware it found?

Answer 2

Luke 10

I've just fixed this for a customer I had. Ended up being a hidden rule as many have suspected.

The fix for me was to add the compromised account to a full featured version of Outlook. I used Outlook (classic).

NOT the version of Outlook which is pre-installed.

Then run the following command in Run (WIN +R)

outlook /cleanrules

EDIT: First step should be to remove consent for Thunderbird and Microsoft Graph at the following link: https://microsoft.com/consent

Also, remove any email forwarding which shouldn't be there, reset passwords, add 2FA, remove any email forwarding which shouldn't be there.

Hornblower409 5,895 Reputation points

2026-02-27T13:42:49.0966667+00:00

@Luke
Thank you very much for reporting back on your solution.

Ended up being a hidden rule as many have suspected

Do I understand correctly - You could not even see the Rule when using Outlook Web or New Outlook for Windows? And the only way you could get rid of it was using the Classic Outlook command line?

If so, this is going to be a major stumbling block for users who do not have access to Classic Outlook. Since, as far as I know, the only other way to remove a hidden Rule is via Exchange Admin PowerShell commands.
Luke 10 Reputation points

2026-02-28T12:07:47.1133333+00:00

I didn't see any other rules, only saw Rules I created and removed etc.

I tried running the command using the free version of Outlook and just got an error message.
I also tried the PowerShell commands and they didn't work.

Even doing a free trial of O365 could be a possible solution.

Answer 3

Hornblower409 5,895

2026-02-28 - Removed by author. Out of date.

Answer 4

L. Timmons 0

I am having this same issue and keep getting sent on an endless loop back to Microsoft support that cannot help me. And ehen i go to the direct link for outlook support I get looped back to my hacked and hijacked email inbox. PLEASE HELP ME.

Hornblower409 5,895 Reputation points

2026-02-23T01:00:18.0733333+00:00

@L. Timmons said

getting sent on an endless loop back to Microsoft support

You must have a working Microsoft email account to use Chat or any other Support Services. If you can not logon or receive emails with your current account, create a new, temporary one at https://signup.live.com

Chat Support

Open a browser to https://support.microsoft.com/en-us/home/contact

Tell us your problem: "Hacked Account"

[Get Help] {Scroll down to the bottom of the page} [Sign in to Contact Support]

Sign in with any Microsoft account

Products and services: "Other Products"

Category: "Manage Account Security"

[Confirm]

Choose a support option -> "Chat with a support agent in your web browser"
L. Timmons 0 Reputation points

2026-02-23T01:56:08.17+00:00

None of that worked. I was however receiving actual emails as of 8:02pm EST. Maybe outlook looked into the issue that many people were having and actually solved it on their own. I can hope anyway.
noah 0 Reputation points

2026-03-13T05:38:15.5033333+00:00

Having the same issue
Hornblower409 5,895 Reputation points

2026-03-13T05:45:58.0233333+00:00

@noah said

Having the same issue

If you have already tried all the suggestions in this thread and still have a problem. You are going to need Microsoft Support to clean up your account on the Microsoft servers. See my Comment above for how to use Chat Support.

Answer 5

It seems that your email account may be compromised, especially since you're experiencing issues with scam emails and drafts reappearing. Here are some steps you can take to resolve this:

Inspect Inbox Rules: Even if you believe there are no rules in place, revisit the settings in Outlook. Navigate to Settings → Mail → Rules and check for any hidden or suspicious rules that might be causing the issue.
Check Forwarding Settings: Ensure that there are no unknown forwarding addresses set up. Attackers may create forwarding rules to send copies of your emails to another account.
Sign Out Everywhere: Access your Microsoft Account Security settings and use the option to sign out of all sessions. This will help terminate any active sessions that could be compromised.
Manage App Permissions: Review the applications that have access to your account. Revoke permissions for any apps that you do not recognize or trust.
Utilize PowerShell Commands: If you have admin access to Microsoft 365, you can run PowerShell commands to identify and remove hidden inbox rules. For example, using Get-InboxRule -Mailbox youraddress@example.com can help uncover any rules not visible in the standard settings.
Reset Your Password: After completing the above steps, reset your password again and ensure that multi-factor authentication (MFA) is enabled for additional security.
Monitor Activity: Keep an eye on your sign-in logs for any suspicious activity. This can help you determine if someone else is accessing your account.

If these steps do not resolve the issue, consider reaching out to Microsoft Support for further assistance.

Share via

Emails overwritten by scam email/[Draft] scam email keeps coming back

5 answers

Your answer