I hope you are doing well ! I just want to check if you have had a chance to test the steps earlier? Please let me know if they helped resolve the issue or if you are still experiencing any difficulties. I am here to assist you further.
Best Regards
Compromised Account - Un-Deletable Rules
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 32%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Spencer Legebokoff
5
Reputation points
Today my email was compromised—some of my existing emails, and all need incoming emails were changed to a spamming message asking to send money to seize the hack. I changed my password (twice) and signed out of all devices. No new issues occurred, meaning I felt the hacker no longer had access to my account.
However, went to "Rules" in my Settings, a rule called "idtienphuoc1" is there and forwards all new emails to a random email address. I cannot delete the Rule, and beyond the initial chat in Microsoft (which just directed me to go to "Help" and "Still need Help?" (which didn't get me to anyone different), there's nothing I can do.
I desperately need help, as all incoming emails get transformed into a spam message, making them unreadable. Please, someone help me.
Outlook | Web | Outlook.com | Email
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 17%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
liam 5 Reputation points2026-03-05T17:47:16.24+00:00 Im having the exact same attack right now. same rule title too. Ive done everything and nothing has flushed it out.
-
Hornblower409 5,820 Reputation points2026-03-05T19:36:50.7+00:00 @liam said
same rule title too. Ive done everything and nothing has flushed it out.You may need to bring in Microsoft Support so they can examine/repair your tenant on the mail server.
New Outlook in App Support
Help -> ? Help
Search Help -> {Your problem} -> [Enter]
Still need help? -> [Yes]
Sign In with any Outlook/Microsoft account
Choose a support option -> Chat with a support agent in your web browser
Sign in to comment
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 57.99999999999999%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Alice-N 7,485 Reputation points Microsoft External Staff Moderator2026-02-26T00:14:22.2033333+00:00 -
Alice-N 7,485 Reputation points Microsoft External Staff Moderator
2026-02-25T05:05:37.0633333+00:00 Thanks for reaching out to the Microsoft Q&A forum. I’m sorry to hear your account was compromised. I know how stressful that can be, and I’ll do my best to help you recover it.
Please make sure you already tried the Q&A Assist steps. In addition, please do these recovery steps in order:
1, Check and remove forwarding
- Go to Settings > Mail > Forwarding
- Make sure Forwarding is OFF
- Delete any unknown forwarding address
2, Check “Inbox rules” again
- Settings > Mail > Rules
- Try deleting the suspicious rule again
- If it will not delete, move to Step 3
3, Remove all third‑party app permissions
Attackers often keep access through old app tokens even after password resets.
- Open: https://account.microsoft.com/security
- Select “Advanced security options”
- Scroll to “Apps and services you’ve given access to your account”
- Remove every app you do not recognize
- Remove anything with IMAP, SMTP, or POP permissions if you don’t use those apps
4, Sign out of all sessions (full reset)
Still in Advanced security options:
- Select “Sign me out everywhere”
- Then reset your password again using this guidance: Reset a forgotten Microsoft account password - Microsoft Support
- This will force every malicious session to close.
5, Enable MFA
- Turn on two-step verification so an attacker cannot re-enter.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 74%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
Cody Jordison 0 Reputation points2026-02-26T00:58:09.0866667+00:00 I had this happen today as well. I have recovered the account and enabled 2 factor however the bot installed a Remote Access Trogan. They are using it to delete alllll my emails and any incoming email before I can read it - making my account useless
-
Alice-N 7,485 Reputation points Microsoft External Staff Moderator
2026-02-26T03:22:18.73+00:00 Have you tried the solution above? please create a new Microsoft Q&A thread so your case can be further escalated:
- Go to Microsoft Q&A > Ask a question and post a new thread.
- Use a suitable category.
- Make a title.
- Include: account type, OS, what you’ve tried, and screenshots of Inbox rules/forwarding.
Meanwhile, please also try to:
- Disconnect the infected PC from the internet, scan with a trusted AV.
- From a clean device: change your Microsoft password, sign out of all sessions, and review Security info.
- In Outlook.com: remove suspicious Inbox rules/forwarding and restore mail from Deleted/Recoverable Items.
Thank you for your understanding.
Sign in to comment -
Q&A Assist2026-02-23T21:52:32.56+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreTo address the issue of the undeletable rule in your Microsoft 365 account, follow these steps:
- Sign in to Outlook Web: Go to the Outlook web application and log in to your account.
- Access Rules: Navigate to Settings > Mail > Rules to check for any suspicious rules.
- Delete Suspicious Rules: If you find the rule "idtienphuoc1" that forwards emails, try deleting it again. If it does not delete, proceed to the next steps.
- Check for Forwarding: Go to Mail > Accounts > Forwarding and ensure there are no unknown forwarding addresses set up. Disable any forwarding if necessary.
- Use PowerShell: If you have admin access, you can use PowerShell commands to find and delete hidden rules. Use the command
Get-InboxRule -Mailbox youraddress@example.comto list all rules and delete the unwanted one. - Revoke App Permissions: Go to Microsoft Account Security and revoke any apps you do not recognize, as hackers may use these to maintain access.
- Monitor Account Activity: Keep an eye on your account for any further suspicious activity and ensure you have Multi-Factor Authentication (MFA) enabled.
If these steps do not resolve the issue, consider reaching out to Microsoft Support for further assistance.
References: