Outlook Hacked

Question

My email got hacked yesterday, changing the language and creating a Rule 'idtienphuoc1' that I have not been able to delete. They have been sending mass spam messages that I am unable to stop. I have changed my password numerous times and have tried logging in to get support to help with this but I keep getting locked out of my account. Hacker is over riding any email that I get with their spam message. Please help me get my email back.

Answer 1

Hello,

Make sure you do this on a computer, not on smartphone or tablet.

Go to https://www.outlook.com and log in, click on the gear icon on the top right to launch the settings.

Use this screenshot to guide you to change the language back.

Then, on the Mail tab, go to Rules. Are there any rules set up here? If yes, delete them all.

Then check the conditional format, again, if it's there, delete it.

Then, check Forwarding and IMAP, If any items are present, delete them as well.

===========

If you can't find anything, go to https://account.live.com > Your info > Sign in Preferences. Make sure to check all the aliases here. If you don't recognize any there, delete it.

Then go to Security > Manage How I sign in, make sure all contact info is yours. Then scroll down on the same page, look under App Password, click on remove existing app passwords as well.

Please make sure you change your password and enable two-step verficiation.

Go to your account online, go to Devices, remove any devices you don't recognize.

Then go to Security, click on Sign out everywhere. This is meant to kill any session that's still connected. Unfortunately, this one will take 24 hours to take effect.

====================

In addition, this can be due to a malicious script running on your device. Are you using Windows device to check emails? Do you use any email app, such as Outlook Classic or New Outlook? Please go to the app, remove the account from settings.

Then go here: https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download and run the 64 bit scanner, run a full scan. Tell me what the final results are.

Answer 2

Follow these steps in order to regain control and stop the rule and spam activity.

1. Secure all devices first

• Run a full, up-to-date antivirus/malware scan on every device used to access this mailbox (PC, phone, tablet).
• Do not skip this step; if a device is compromised, the attacker can keep regaining access even after password changes.

2. Recover and secure the Microsoft account

• Use the official hacked/compromised account flow: start from the sign-in helper at How to recover a hacked or compromised Microsoft account and follow the guided steps.
• If sign-in is blocked or the account is locked, follow the recovery process and wait out any temporary lockouts before trying again.
• After regaining access, immediately change the password again to a strong, unique one (not reused anywhere else).
• Turn on multi-factor authentication (MFA) for the account and complete setup on a trusted device.

3. Sign out everywhere and revoke access Once signed back in successfully:

• Use the Microsoft account security options to sign out of all sessions (“Sign out everywhere”) so the attacker’s sessions are terminated.
• Review and remove any unknown connected apps or permissions that could be maintaining access.

4. Remove malicious rules and forwarding In Outlook on the web (once access is restored):

• Go to Settings → Mail → Rules and delete the malicious rule idtienphuoc1 and any other suspicious rules (especially ones that forward, delete, or move messages to Junk/Notes/RSS).
• Go to Mail → Forwarding and remove any forwarding address that you did not configure.
• Check Automatic replies and disable or correct anything the attacker may have set.

5. Check for other compromise indicators Use the guidance for compromised mailboxes:

• Look for:
  • Suspicious Inbox rules (auto-forwarding, moving to Junk/Notes/RSS).
  • Unknown external forwarding configured.
  • Unusual messages in Sent Items or Deleted Items.
  • Missing or deleted mail.
• If any of these are present, follow the remediation steps in Respond to a compromised cloud email account to ensure all backdoors (rules, forwarding, signatures) are removed.

6. Check recent activity and security info

• Review the account’s recent sign-in activity at the recent activity page referenced in Help protect your Outlook.com email account. If there are sign-ins from locations/devices that are not recognized, mark them as “This wasn’t me” where available.
• Ensure alternate email and phone number are correct and belong only to the legitimate owner. Remove any that are unfamiliar.

7. If the rule keeps reappearing

• This usually means the attacker still has active access or a persistent app/connection:
  • Confirm MFA is enabled and working.
  • Confirm all sessions are signed out and all unknown apps are revoked.
  • If using Microsoft 365 with admin access, an admin should:
    • Check Exchange Admin Center → Mail flow → Rules and remove any malicious rules.
    • Use PowerShell (for admins) to run Get-InboxRule on the mailbox and remove hidden rules as described in the Outlook rules/forms attack guidance referenced in the Q&A.
• In a similar case, once MFA was properly in place, the malicious idtienphuoc1 rule stopped recreating itself.

8. Contact support if self-service fails

• If recovery keeps failing or lockouts persist, use the Outlook.com help channel described in Phishing and suspicious behavior in Outlook:
  • Sign in to Outlook.com, select Help on the menu bar, describe the issue, then scroll to Still need help? and choose to chat with a support agent.
  • If sign-in is not possible, use the alternate link in that article for help when unable to sign in.

9. Inform contacts and monitor

• From a clean, trusted account, notify important contacts that the mailbox was compromised and that they should ignore suspicious messages, especially those with links or attachments.
• Continue to monitor recent activity and mailbox rules for a while to ensure no new suspicious behavior appears.

---

References:

• Help protect your Outlook.com email account
• Phishing and suspicious behavior in Outlook
• How to recover a hacked or compromised Microsoft account
• Respond to a compromised cloud email account
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• I have seen great advice for deleting the idtienphuoc1 Rule but none for stopping it from re-adding itself - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• Need to speak to a agent I am getting pop up draft scam emails - Microsoft Q&A