Account was hacked, now all incoming and outgoing emails have the same message.

Question

Email was hacked, changed my password, enabled 2FA, removed rules and still all incoming and outgoing emails have the same message...

“YOUR FILES WILL BE LEAKED UNLESS YOU ACT NOW, Hello, your e-mail has been hacked, your password has been compromised and it does not stop there: our malware downloaded all of your images/videos, WhatsApp message store along with the key that decrypts it and documents (an example of downloaded data is in the attachment). An 8 hours countdown will start at the time you read this mail and at the end of the countdown; our bots will start sending all of your data to your contacts and they will be available online for everyone's access. You can prevent this from happening by sending 350 usd worth of bitcoin to the address assigned to you below. CAUTION!!! Check the attachment of this mail for proof, this is only a small part of the data we have captured...”

How do I fix this?

Answer 1

Hello,

I am going to share with you the comprehensive list of things to do, please feel free to skip those you already did. This process can take a bit time, so please be patient as you go through it.

Please complete these steps on a computer, not on a smartphone or tablet.

====================

First, go to https://www.outlook.com and sign in.

Click the gear icon in the top right corner to open Settings.

Under Mail, review the following areas:

Rules

If any rules are listed, delete all of them.

Conditional formatting

If anything is set up there, delete it.

Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

Junk

Review Safe sender and blocked list. If you don't recognize any, remove them.

After that, exit Settings and return to outlook.com.

Open the To Do section by clicking the blue checkmark icon on the left side. Delete anything there that was not created by you.

====================

Go to https://account.live.com.

Under Your info > Sign-in preferences, review all aliases on the account. If you see any alias you do not recognize, remove it.

Next, go to the Devices section of your Microsoft account and remove any devices you do not recognize.

====================

Please also do the following in Security section

Change your password

Enable two-step verification

====================

Then go to Security > Manage how I sign in and make sure all contact information belongs to you.

On that same page, scroll down to App passwords and remove any existing app passwords.

Also on the same page, click on Sign out everywhere. This is intended to disconnect any active sessions that may still be connected. Please note that this can take up to 24 hours to fully take effect.

====================

In addition, this problem can sometimes be caused by a malicious script or infection on one of your devices.

Are you using a Windows computer to check email? Do you use an email app such as Outlook Classic or New Outlook?

If so, please open the app and remove the account from the app settings.

Then go to the Microsoft Safety Scanner download page:

https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download the 64-bit version, run a full scan, and let me know what the final results say.

Answer 2

I am having the same issue today. And the language was changed as well. I was able to change it back to English. However no matter how many times I delete/report the emails they keep coming back.

Answer 3

Hi,

Thank you for sharing your question. I understand how alarming and overwhelming it feels to secure your account, change your password, enable two‑factor authentication, remove suspicious rules, and still see every incoming and outgoing email replaced with the same threatening message. It is completely natural to worry when your mailbox behaves this way, especially after a security scare.

This issue usually happens because the attacker left behind hidden mail flow rules, signature injections, or server‑side modifications that automatically overwrite or append content to all messages, even after password changes. In some cases, the mailbox may also be compromised through a connected app token or an OAuth permission that continues to run in the background, which is why the malicious message keeps appearing. The most effective resolution is to sign in to your Microsoft account security page, review and remove any suspicious connected apps, revoke all active sessions, recheck all inbox and forwarding rules, and then run a full reset of your Outlook profile so the mailbox refreshes with clean server settings. After this, sending a test email to yourself helps confirm whether the behavior stops.

To better understand where the issue is coming from, do you see the threatening text physically inside each message you open, or does it appear automatically the moment you try to compose or receive an email? This detail helps determine whether the problem is a message‑rewrite rule, an add‑in issue, or a compromised token still injecting content.

Please feel free to follow up with what you observe, and I will guide you step by step to fully remove the malicious behavior and restore your mailbox to normal.

 

I hope this helps.

 

Best Regards,

Noel

 

Answer 4

This behavior indicates the account is still compromised or has malicious inbox rules/add-ins manipulating mail. Perform a full cleanup and security reset:

1. Remove malicious Outlook rules and forwarding

• Sign in to Outlook on the web.
• Go to Settings (gear) → Mail → Rules.
• Delete every suspicious rule, especially any that:
  • Modify the subject or body
  • Forward/redirect mail
  • Move all mail to unusual folders (Notes, RSS, Junk, Archive, etc.).
• Go to Settings → Mail → Forwarding and remove any unknown forwarding addresses.

2. Check for inbox manipulation and missing mail

• Verify no rules are silently diverting or altering messages as described in the guidance on suspicious inbox rules and missing mail.
• Also check folders like Junk, RSS Subscriptions, Notes, and Archive for misdirected mail.

3. Secure the Microsoft account itself

• Follow the compromised-account recovery guidance for Microsoft accounts:
  • Use the official recovery/sign-in helper to verify identity and ensure only trusted security info (phone, alternate email) is configured.
  • Review Recent activity for unfamiliar sign-ins or devices and secure the account as instructed.
• If the account is part of Microsoft 365 (work/school), the admin should:
  • Reset the password (and, if synced from on-premises AD, reset it there as well, twice as recommended).
  • Revoke all active sign-in sessions using Microsoft Graph or admin tools.
  • Ensure multifactor authentication (MFA) is enforced on the account.

4. Revoke attacker persistence (sessions, apps, devices)

• Use the Microsoft account security page to:
  • Sign out everywhere to invalidate all active sessions.
  • Review and remove any unknown app permissions or connected apps that could be injecting or modifying mail.
• For Microsoft 365 tenants, admins should also:
  • Disable malicious inbox rules as recommended.
  • Search for other suspicious activity from the same IP/ISP to ensure no other accounts are compromised.

5. Clean devices used with the account

• Run a full, up-to-date antivirus/antimalware scan on every device that accessed this mailbox (PCs, phones, tablets).
• Remove any suspicious software or browser extensions that could be altering webmail content.

6. Reset credentials again and keep MFA enabled

• After cleaning rules, revoking sessions, and scanning devices, change the account password again to a strong, unique password not used elsewhere.
• Keep MFA enabled and verify that only trusted authenticator apps/devices are registered.

7. Treat the ransom message as phishing/extortion

• Do not pay the ransom or respond.
• Treat these as phishing/extortion emails as described in the phishing guidance for Outlook. Delete them or leave them for evidence if reporting to local authorities.

If, after all these steps, every new message still shows the same ransom text, the account owner or Microsoft 365 admin should escalate through official Microsoft support channels, referencing that this matches a “malicious inbox rules / inbox manipulation” scenario.

---

References:

• Help protect your Outlook.com email account
• Phishing and suspicious behavior in Outlook
• Respond to a compromised cloud email account
• Alert classification for suspicious inbox manipulation rules
• Email is missing from your Outlook.com inbox
• How to recover a hacked or compromised Microsoft account
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• Stopped receiving emails on my account. - Microsoft Q&A