The recurring sextortion draft and massive folder creation are strong indicators that the account is still affected by a compromise mechanism on the service side (hidden rules, malicious forms, or similar artifacts), even after visible rules and app permissions were removed.
Because all client‑side steps were already taken (password change, 2FA, sign‑out everywhere, app permission revocation, rule cleanup, Deleted/Recoverable Items cleanup), the next actions need to focus on:
- Treating this as an active compromise and following Microsoft’s official remediation flow.
- Specifically checking for hidden or non‑obvious mailbox rules and Outlook form–based attacks.
- Ensuring all sessions and MFA methods are clean.
Actionable steps based on Microsoft guidance:
- Verify and continue securing the account as compromised
- Follow the official “recover a hacked or compromised Microsoft account” steps:
- Run a full malware/antivirus scan on every device that has accessed this account recently, and only then change the password again to a new, unique, strong password.
- Confirm 2FA is enabled and functioning and that sign‑in attempts from unknown locations are blocked.
- This ensures no local RAT/Trojan is re‑injecting content into the mailbox after it syncs.
- Check recent activity and sign‑ins
- Use the Recent activity page (
https://account.live.com/Activity) to review sign‑ins, locations, IPs, and app/device details.
- If any unfamiliar activity appears after the last password/2FA change, treat it as ongoing compromise and repeat the secure‑device + password‑reset cycle.
- Re‑check server‑side account settings (consumer Outlook.com)
- After regaining stable access, verify:
- Connected accounts
- Forwarding
- Automatic replies
- These are explicitly called out as settings attackers may alter and that are reset or must be reviewed after compromise.
- Investigate for hidden Outlook rules and custom forms (persistence)
- The behavior (drafts reappearing, large‑scale folder creation) matches known Outlook Rules and Custom Forms injection attacks, where:
- Malicious rules or custom forms trigger when specific messages arrive.
- These can be largely invisible to normal users and can re‑create content even after manual cleanup.
- Indicators include:
- Rules whose action is to start an application or reference an EXE/ZIP/URL.
- Custom forms stored in Personal Forms Library or Inbox with message class like
IPM.Note.[custom name] containing executable code.
- Microsoft’s guidance for such attacks is to detect and remediate these rules/forms specifically, not just normal inbox rules.
- If using Microsoft 365/Exchange Online (work/school scenario)
- Admins can:
- Use
Get-InboxRule -Identity "<user>" -IncludeHidden | Format-List in Exchange Online PowerShell to surface hidden rules that do not appear in the normal UI.
- Review and remove any forwarding or suspicious rules and verify no SMTP forwarding is configured with
Get-Mailbox -Identity <Identity> | Format-List Forwarding*Address,DeliverTo*.
- For a pure Outlook.com/Hotmail consumer account, these exact PowerShell commands are not available, but the pattern shows that hidden rules are a known persistence vector that must be explicitly checked by the service.
- Revoke all sign‑in sessions again at the identity level
- Use the “sign out everywhere”/session revocation feature for the Microsoft account so any lingering sessions that might be re‑creating drafts are invalidated.
- In Microsoft Entra–backed scenarios, the equivalent is
Revoke-MgUserSignInSession -UserId <user> to force re‑authentication across all clients.
- Review MFA devices and app consents again
- Confirm only expected MFA methods and devices are registered; remove any unknown methods.
- Re‑check application permissions/consents and revoke anything not recognized.
- If the behavior continues
- At that point, the situation matches Microsoft’s documented pattern of a mailbox that remains compromised or corrupted despite user‑visible cleanup.
- The next step is to escalate through official Microsoft support channels (consumer Outlook.com support) and explicitly reference:
- Ongoing compromise symptoms (recurring sextortion draft, auto‑created folders).
- That all documented self‑service remediation steps have been completed.
- The possibility of an Outlook Rules/Custom Forms injection or other hidden server‑side artifact that requires backend cleanup/repair.
This combination—device cleanup, account hardening, recent‑activity review, and explicit investigation for hidden rules/custom forms—is the Microsoft‑documented path to stop persistent, automatically re‑created malicious drafts and restore a compromised mailbox to a clean state.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 37%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWH%3C/text%3E%3C/svg%3E)
