Mail malware in outlook

Question

After an unauthorized access to my email account, my old emails have now been replaced with a malware threat message demanding money in order not to block the account.

Answer 1

Hello,

Make sure you do this on a computer, not on smartphone or tablet. Go to https://www.outlook.com and log in, click on the gear icon on the top right to launch the settings.

Then, on the Mail tab, go to Rules. Are there any rules set up here? If yes, delete them all.

Then check the conditional format, again, if it's there, delete it.

Then, check Forwarding and IMAP, If any items are present, delete them as well.

===========

If you can't find anything, go to https://account.live.com > Your info > Sign in Preferences. Make sure to check all the aliases here. If you don't recognize any there, delete it.

Then go to Security > Manage How I sign in, make sure all contact info is yours. Then scroll down on the same page, look under App Password, click on remove existing app passwords as well.

Please make sure you change your password and enable two-step verficiation.

Go to your account online, go to Devices, remove any devices you don't recognize.

Then go to Security, click on Sign out everywhere. This is meant to kill any session that's still connected. Unfortunately, this one will take 24 hours to take effect.

====================

In addition, this can be due to a malicious script running on your device. Are you using Windows device to check emails? Do you use any email app, such as Outlook Classic or New Outlook? Please go to the app, remove the account from settings.

Then go here: https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download and run the 64 bit scanner, run a full scan. Tell me what the final results are.

Answer 2

This situation indicates both a likely account compromise and malicious email content. Take these actions immediately:

1. Do not pay or respond to the blackmail message

• Treat the demand for money as phishing/extortion. Do not click any links, open attachments, or reply.

2. Regain control of the Microsoft account

• If sign-in is blocked or behaving strangely, use the official recovery and unblock flows described for Outlook.com accounts:
  • If the account is blocked due to unusual activity, use the Sign-in Helper from the Unblock article to restore access.
  • If the account appears hacked (messages changed, threats present), follow the guidance in My Outlook.com account has been hacked referenced from the protection and unblock articles.

3. Check for signs of compromise and malicious rules Once access is restored:

• Review mailbox content and folders (Inbox, Sent, Deleted, Drafts) for suspicious messages or drafts like the malware/blackmail text.
• In Outlook on the web, go to Settings → Mail → Rules and delete any rules you do not recognize (for example, rules that auto-move, auto-delete, or auto-forward messages). Attackers often use rules to hide or inject messages.
• Check Mail → Junk email and Mail → Forwarding for unknown forwarding addresses or blocked/allowed lists that you did not configure.
• If using Microsoft 365/Exchange Online with admin access, follow the guidance in the “detect-and-remediate-outlook-rules-forms-attack” article referenced in the similar Q&A to find and remove malicious rules or forms.

4. Secure the account and devices

• Change the account password to a strong, unique one (not reused elsewhere).
• Enable multi-factor authentication (MFA) / two-step verification and ensure only trusted devices and authenticators are registered.
• Review recent activity at the Microsoft account recent activity page to see where and when the account was accessed and confirm any unfamiliar sign-ins.
• Run a full, up-to-date antivirus scan on every device used to access the mailbox (PC, phone, tablet). Remove any detected malware.

5. Use Outlook’s built-in protection

• Outlook.com and Outlook clients use junk and malware filtering. Messages detected as malware or phishing may be moved to Junk Email or blocked; do not restore or interact with suspicious items.
• Watch for yellow or red safety bars on messages. A red bar indicates Outlook.com has blocked something potentially unsafe; such messages should be deleted.
• If the threatening message is still present, move it to Junk Email or delete it after capturing any evidence needed for law enforcement.

6. Inform contacts and monitor for further abuse

• After securing the account, notify important contacts (from a different, trusted channel if possible) that the mailbox was compromised and that they should ignore suspicious messages previously sent from the address.
• Continue to monitor the mailbox for new suspicious drafts, rules, or forwarding settings. If they reappear, repeat the cleanup steps and re-scan devices.

If the account cannot be recovered using the automated tools, follow the official account recovery guidance and contact Microsoft Support via the paths described in the referenced Q&A and support articles.

---

References:

• Help protect your Outlook.com email account
• Unblock my Outlook.com account
• Filter junk email and spam in Outlook
• Respond to a compromised cloud email account
• Phishing and suspicious behavior in Outlook
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A