![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 53%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Outlook | Outlook for mobile | Outlook for Android | For home
Using Outlook for Android for personal email and calendar management
The behavior described is consistent with a compromised mailbox where a malicious rule or integration is modifying messages after delivery. To stop it, the account and mailbox must be fully secured, not just the device.
Follow these steps in order:
- Secure devices first
- On every device used with Outlook (PC, Mac, Android, iOS), run a full, up-to-date antivirus/antimalware scan.
- Make sure the operating system and apps are fully updated, as recommended in the Outlook.com protection guidance.
- Sign out all sessions and reset credentials
- Go to the Microsoft account security page and use the option to sign out of all sessions ("Sign out everywhere" or equivalent) so any attacker sessions are killed.
- Change the account password to a strong, unique one that is not used anywhere else.
- Enable multi-factor authentication (MFA) on the Microsoft account. Experience from similar cases shows that once MFA is enforced, malicious rules and activity usually stop.
- Check for malicious rules and forwarding Using Outlook on the web (not just the mobile app):
- Go to Settings → Mail → Rules and delete any rule that:
- Renames subjects
- Moves messages to unexpected folders (Junk, RSS, Notes, etc.)
- Forwards or redirects mail to unknown addresses.
- Go to Settings → Mail → Forwarding and remove any forwarding address that is not explicitly configured.
If using a Microsoft 365/Exchange account and an admin is available:
- In Exchange Online PowerShell, run
Get-InboxRule -Mailbox user@domain(or the more detailed example from the compromised-account guidance) to list all rules, including hidden ones, and remove any suspicious rules.
- Check for other compromise indicators Based on the compromised-account guidance, review for:
- Suspicious items in Sent Items or Deleted Items (e.g., scam or extortion emails).
- Unexpected changes to signatures.
- Recently added external forwarding in tenant outbound spam policies (for Microsoft 365 admins).
- Review sign-in and account activity
- For Outlook.com/Microsoft accounts, review recent activity at
https://account.live.com/activityto see where and when the account has been accessed and confirm there are no unknown sign-ins. - For Microsoft 365 work/school accounts, an admin should review Microsoft Entra sign-in logs and Defender audit logs as described in the compromised-account article.
- Continue monitoring
- After cleanup, monitor the mailbox for a period to confirm that:
- No new suspicious rules appear.
- Subjects are no longer being changed.
- No new suspicious sign-ins are logged.
If the problem persists after all of the above, contact Microsoft Support with details that the mailbox appears compromised and that rules or server-side processing are altering message subjects after delivery.
References:
- Help protect your Outlook.com email account
- Respond to a compromised cloud email account
- Common symptoms of a compromised Microsoft 365 email account
- Secure and Restore Email Function to a Compromised Microsoft 365 Mail Enabled Account
- Hacker set up continuous draft ransomware email - Microsoft Q&A
- I have seen great advice for deleting the idtienphuoc1 Rule but none for stopping it from re-adding itself - Microsoft Q&A