Outlook: Emails in inbox keep changing to malicious message

Question

Subject line of all top 15 emails change to "{Password} YOUR FILES WILL BE LEAKED UNLESS YOU ACT NOW"

I've reset my password, added 2FA, used to log out of everything option, and removed all rules and connected apps I could find. I checked Microsoft To-Do for any potential rules in there that could be messing with emails, but couldn't find anything.

The issue continues to happen even while logged into my account on a separate device in an incognito window.

The issue occurs to all new incoming emails as well.

Answer 1

Hi, I'm John! I will help you with this.

About the persistent draft being credited:

If you haven't tried anything yet, please start by running a full antivirus scan on your computer using Windows Security and any third-party antivirus software you have.

Run a full deep scan using a trusted security tool:

• Download and run Microsoft Safety Scanner here: https://learn.microsoft.com/defender-endpoint/safety-scanner-download
• After running the scan, please restart your PC and monitor whether the issue continues.

---

To be safe, I recommend the following steps:

Check your account rules and forwarding settings, hackers create rules that automatically forward or delete emails. You can do this in Outlook settings under Mail > Rules and Forwarding. https://support.microsoft.com/office/manage-email-messages-by-using-rules-in-outlook-c24f5dea-9465-4df4-ad17-a50704d66c59

Just to be safe, I’d recommend to sign out everywhere. Visit: https://account.live.com/proofs/manage/additional Scroll down to Sign me out and select "Sign me out".

After signing out everywhere, please monitor if the issue persists in the coming hours.

---

"How to help keep your Microsoft account secure" https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9

---

I really hope this information is helpful! Let me know if you have any further questions or concerns.

Regards,

John J.D.

Answer 2

This behavior strongly indicates that the Outlook.com account is still compromised and that a malicious rule or integration is manipulating mailbox content, even after password reset and MFA.

Follow these steps in order, from safest to more advanced cleanup:

1. Secure all devices first

• On every PC/phone/tablet used to access this mailbox, run a full, up-to-date antivirus/malware scan. Do this before changing any more passwords or signing in again.
• Make sure the operating systems and browsers are fully updated.

2. Confirm the account is really yours and review recent activity

• Go to the recent activity page at https://account.live.com/activity (via a trusted browser) and review sign-ins and security challenges.
  • Mark any unfamiliar sign-ins as “This wasn’t me” and follow the prompts.
• Add or confirm alternate email and mobile phone in the account’s security info so recovery is possible if access is lost later.

3. Change password again after device cleanup

• After malware scans complete, change the Microsoft account password again to a strong, unique password that is not reused anywhere else.
• Do not share the new password by email or chat.

4. Sign out everywhere and re‑establish trusted sessions

• Use the “sign out everywhere” / “sign out of all sessions” function again after the new password is set, so any attacker sessions are invalidated.
• Then sign in only from a known‑clean device and browser.

5. Deep-clean Outlook.com mailbox configuration From Outlook on the web (Outlook.com) on a clean browser session:

a) Inbox rules and sweep rules

• Go to Settings → Mail → Rules.
• Delete every rule that is not explicitly needed, especially anything that:
  • Modifies subject lines
  • Moves mail to unexpected folders (Notes, RSS, Junk, Archive)
  • Forwards or redirects mail

b) Forwarding and automatic replies

• Go to Settings → Mail → Forwarding.
  • Remove any forwarding address that is not explicitly yours.
• Go to Settings → Mail → Automatic replies.
  • Turn off automatic replies and delete any suspicious text.

c) Connected accounts and send-as

• In Outlook.com account settings, remove any connected accounts you do not recognize.
• Check if any aliases or send-as addresses were added and remove unknown ones.

6. Remove malicious inbox manipulation rules at the service level (if applicable) If this is a Microsoft 365 work/school mailbox (rather than a purely personal Outlook.com account) and an admin is available:

• Have the admin follow the “suspicious inbox manipulation rules” guidance:
  • Disable any malicious inbox rules on the mailbox.
  • Reset the user account’s credentials again from the admin side.
  • Search for other malicious activities by this account and from the same IP/ISP in the tenant.

7. Treat this as a compromised account scenario The symptoms match common signs of a compromised Microsoft 365/Outlook.com mailbox (mailbox content being altered, potential hidden rules, possible forwarding or app access). The recommended pattern is:

• Block or disable the account temporarily if possible while investigating.
• Reset credentials with a strong password.
• Remove malicious rules, forwarding, and app permissions.
• Check for other suspicious activity in the environment.

8. If the issue persists after all of the above

• Re-check recent activity for new suspicious sign-ins after the last password change.
• Re-run malware scans on all devices.
• Contact Microsoft Support via the official support channels, clearly stating that:
  • The account is compromised.
  • Email subjects are being rewritten to extortion/ransom messages.
  • Password has been reset and MFA enabled, but manipulation continues.

Until fully resolved, avoid using this mailbox for sensitive communication and warn close contacts that messages appearing to come from this address may be malicious.

---

References:

• Respond to a compromised cloud email account
• Alert classification for suspicious inbox manipulation rules
• Help protect your Outlook.com email account
• How to recover a hacked or compromised Microsoft account
• What to do if your email address is leaked