![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 41%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The described behavior strongly indicates that the account (including the old Hotmail alias) is or has been compromised and that an automated mechanism (rule, hidden rule, or external access) is still active.
Take these steps in order:
- Verify and remediate compromise
- Review the common compromise indicators listed for Microsoft 365 mailboxes (blocked from sending, suspicious rules, forwarding, unexpected drafts, etc.). If any are present, treat the mailbox as compromised and follow the remediation pattern described for compromised accounts.
- Use the guidance in How to recover a hacked or compromised Microsoft account to:
- Run a full malware/antivirus scan on every device that has accessed this account.
- Only after scans are clean, change the Microsoft account password again to a strong, unique password.
- Confirm that the new password is not reused anywhere else.
- Re-check account and mailbox configuration After securing devices and resetting the password:
- Sign in to the Microsoft account security page and review:
- Recent activity for unusual sign-ins or locations. If any activity is not recognized, mark it as not yours and follow the prompts to secure the account.
- Ensure two-step verification remains enabled and recovery info (phone, alternate email) is correct.
- In Outlook/Outlook.com (web):
- Re-check Rules, Forwarding, and Automatic replies for any suspicious or newly created entries and remove them.
- Re-check any connected accounts or POP/IMAP settings and ensure none are configured to send or manipulate mail on behalf of the Hotmail alias.
- Look for hidden or advanced rules / forwarding
- For consumer accounts, hidden rules are harder to see, but the same compromise patterns described for Microsoft 365 apply conceptually. The Defender guidance highlights that attackers often use:
- Inbox rules (including hidden ones) to move or generate messages.
- External forwarding to exfiltrate mail.
- If this account is part of a Microsoft 365 tenant and an admin is available, an admin should:
- Use Exchange Online PowerShell with
Get-InboxRule -Mailbox <youraddress>(similar to the example shown) to enumerate all rules, including hidden ones, and remove anything suspicious. - Check for external forwarding configured at the mailbox or tenant level and disable it if not required.
- Use Exchange Online PowerShell with
- End all active sessions and revoke access
- From the Microsoft account security page, use the options to sign out of all sessions again after the latest password change.
- Review and revoke any app permissions or connected apps that are not recognized.
- Monitor and, if needed, repeat recovery
- Continue to monitor Recent activity and mailbox behavior. If new suspicious drafts or messages continue to appear:
- Repeat malware scans on all devices.
- Change the password again from a known-clean device and keep two-step verification enabled.
- Re-verify that no new rules or forwarding settings have been created.
- Notify contacts and watch for further abuse
- If any suspicious or extortion-like messages have been sent from this account, inform important contacts from a different, trusted email address that the account was compromised and that they should ignore unusual messages.
If the account remains inaccessible or the automated behavior persists even after these steps, follow the full recovery flow in the hacked/compromised account article and use the account recovery and security pages to continue remediation.
References: