Problem after being hacked

Question

Hey

Yesterday, my email account was compromised by an unknown attacker. Today, I was able to secure the account by changing my password and successfully regaining full access to my mailbox.

However, it appears that there may still be malicious files or configurations left behind by the hacker. Although I have already deleted all suspicious rules and removed unknown applications connected to my account, the issue persists.

The problem I am currently facing is that the content of incoming emails is automatically changing to a message written by the hacker. This happens even after I removed the rules and checked the connected apps.

Because of this, I am concerned that there may be hidden rules, scripts, or other malicious configurations that I cannot detect or remove from my side.

Is there any solution?

Answer 1

Hello,

I am going to share with you the comprehensive list of things to do, please feel free to skip those you already did. This process can take a bit time, so please be patient as you go through it.

Please complete these steps on a computer, not on a smartphone or tablet.

====================

First, go to https://www.outlook.com and sign in.

Click the gear icon in the top right corner to open Settings.

Under Mail, review the following areas:

Rules

If any rules are listed, delete all of them.

Conditional formatting

If anything is set up there, delete it.

Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

Junk
Review Safe sender and blocked list. If you don't recognize any, remove them.

After that, exit Settings and return to outlook.com.

Open the To Do section by clicking the blue checkmark icon on the left side. Delete anything there that was not created by you.

====================

Go to https://account.live.com.

Under Your info > Sign-in preferences, review all aliases on the account. If you see any alias you do not recognize, remove it.

Next, go to the Devices section of your Microsoft account and remove any devices you do not recognize.

====================

Please also do the following in Security section

Change your password

Enable two-step verification

====================

Then go to Security > Manage how I sign in and make sure all contact information belongs to you.

On that same page, scroll down to App passwords and remove any existing app passwords.

Also on the same page, click on Sign out everywhere. This is intended to disconnect any active sessions that may still be connected. Please note that this can take up to 24 hours to fully take effect.

====================

In addition, this problem can sometimes be caused by a malicious script or infection on one of your devices.

Are you using a Windows computer to check email? Do you use an email app such as Outlook Classic or New Outlook?

If so, please open the app and remove the account from the app settings.

Then go to the Microsoft Safety Scanner download page:

https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download the 64-bit version, run a full scan, and let me know what the final results say.

Answer 2

The mailbox is still showing symptoms of compromise and needs a full post‑breach cleanup, not just a password change and basic rule/app removal.

Use the following steps end‑to‑end:

1. Block or reset the account and revoke sessions

• Temporarily disable the account or, if that is not possible, reset the password again with a strong, unique value that has not been used before.
• Do not send the new password by email.
• If the account is synced from on‑premises Active Directory, reset the password there and reset it twice.
• Revoke all active sign‑in sessions so any attacker sessions are killed:

    Install-Module Microsoft.Graph.Authentication
    Install-Module Microsoft.Graph.Users.Actions
    Connect-MgGraph -Scopes User.RevokeSessions.All
    Revoke-MgUserSignInSession -UserId <UPN>
  

2. Enforce strong MFA and clean MFA methods

• Ensure multifactor authentication (MFA) is enabled and enforced on the account.
• Review the MFA registered devices and methods and remove anything unrecognized.

3. Review and remove persistence mechanisms Attackers often leave multiple persistence points beyond obvious inbox rules.

Do all of the following:

• Inbox rules and forwarding
  • Re‑check all inbox rules in Outlook on the web and the client for anything suspicious (including rules that move messages to Notes, Junk, RSS, or other folders).
  • Check mailbox forwarding (SMTP forwarding) and remove any forwarding addresses:

        Get-Mailbox -Identity <Identity> | Format-List Forwarding*Address,DeliverTo*
    

• External forwarding at tenant level
  • If an admin is available, review outbound spam policies and external forwarding configuration to ensure no automatic forwarding to attacker addresses remains.

4. Remove malicious apps and permissions

• Review the list of applications with user consent and revoke any that should not have access.
• If an admin is available, review enterprise applications and their permissions and remove or restrict anything suspicious.

5. Check roles and elevated access

• Verify the user does not have unnecessary administrative roles in Microsoft Entra ID, Azure, Microsoft 365, Microsoft Purview, or Defender for Office 365. Remove any roles that should not be assigned.

6. Treat this as an ongoing compromise until symptoms stop Because incoming mail content is still being altered, assume the account or a connected app is still under attacker control until:

• All sessions are revoked.
• All MFA methods are verified and cleaned.
• All inbox rules and forwarding settings are verified via both UI and PowerShell.
• All suspicious apps and delegated permissions are revoked.

If the issue persists after completing these steps, escalate through the appropriate Microsoft support channel so the tenant can be checked for hidden or tenant‑level rules, connectors, or additional compromised accounts.

---

References:

• Respond to a compromised cloud email account
• Alert classification for suspicious inbox manipulation rules
• How to recover a hacked or compromised Microsoft account
• Help protect your Outlook.com email account
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• I have seen great advice for deleting the idtienphuoc1 Rule but none for stopping it from re-adding itself - Microsoft Q&A