emails have turned/continue turning into the same blackmail phishing body

Question

I am using Microsoft email. Every email I receive gets changed automatically. I have tried everything from my side. It seems my account was hacked, and all the other accounts linked to this email were affected. I still cannot receive emails properly, and some emails are being turned into drafts or changed. Password changed. Signed out everywhere. Rules deleted. No forwarding/pop. Checked recent sign ins and only mine there. Removed apps. Checked everything I can think of and it’s still happening. The emails are getting deleted of changed to receive the scam email again even for my old emails.

Message say

Hey, NAME

What happened here?

About a few months ago, I gained access to your devices and started tracking your online activity.

I was able to hack into your computer and access your email: EMAIL. Your password was easily compromised.

Your password: PASSWORD

What's next?

After a week, I had already installed a Remote Access Trojan (RAT) (Learn more about this] in all your devices.

In fact, it was not difficult at all (since you were clicking on malicious links from incoming emails).

It is very simple. This Trojan gives me access to all your devices (e.g. your microphone, webcam, keyboard and etc.)

[1]l uploaded all your information, data, photos, web browsing history to my servers.

(2] have access to all your messengers, social networks, emails, chat history and contact list.

[3] My virus constantly updates its signature (it is driver-based). so it remains invisible to antivirus programs.

What should I worry?

In gathering information about you, I discovered that you are a big fan of adult websites.

You really enjoy visiting porn sites, watching videos and pleasuring yourself.

Well, I managed to record some of your dirty scenes that show you masturbating.

If you think this is just a bluff, let me remind you: I have access to your entire life. I can see everything you do, hear everything you say, and read everything you type. Your privacy no longer exists.

Answer 1

I have the exact same problem. The message itself is a load of rubbish but I can't get into a few accounts but one is my PlayStation account which has been used to purchase something worth 94.99, probably a year of ps plus. Did you get this fixed? I need to get back into it. I think the hacker might have already changed the email address for my PlayStation account but it would be good to know. Thanks

Answer 2

Hello,

I am going to share with you the comprehensive list of things to do, please feel free to skip those you already did. This process can take a bit time, so please be patient as you go through it.

Please complete these steps on a computer, not on a smartphone or tablet.

====================

First, go to https://www.outlook.com and sign in.

Click the gear icon in the top right corner to open Settings.

Under Mail, review the following areas:

Rules

If any rules are listed, delete all of them.

Conditional formatting

If anything is set up there, delete it.

Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

Junk

Review Safe sender and blocked list. If you don't recognize any, remove them.

After that, exit Settings and return to outlook.com.

Open the To Do section by clicking the blue checkmark icon on the left side. Delete anything there that was not created by you.

====================

Go to https://account.live.com.

Under Your info > Sign-in preferences, review all aliases on the account. If you see any alias you do not recognize, remove it.

Next, go to the Devices section of your Microsoft account and remove any devices you do not recognize.

====================

Please also do the following in Security section

Change your password

Enable two-step verification

====================

Then go to Security > Manage how I sign in and make sure all contact information belongs to you.

On that same page, scroll down to App passwords and remove any existing app passwords.

Also on the same page, click on Sign out everywhere. This is intended to disconnect any active sessions that may still be connected. Please note that this can take up to 24 hours to fully take effect.

====================

In addition, this problem can sometimes be caused by a malicious script or infection on one of your devices.

Are you using a Windows computer to check email? Do you use an email app such as Outlook Classic or New Outlook?

If so, please open the app and remove the account from the app settings.

Then go to the Microsoft Safety Scanner download page:

https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download the 64-bit version, run a full scan, and let me know what the final results say.

Answer 3

The mailbox is still behaving like a compromised account and needs full incident-style cleanup plus account recovery steps beyond just password and rule changes.

Follow these steps in order:

1. Secure all devices first

• Run a full, up-to-date antivirus/malware scan on every device used to access this mailbox (PCs, phones, tablets).
• If any device shows signs of compromise, remove malware and, if needed, perform a factory reset.
• Do not sign back into email from a device until it is fully cleaned.

2. Regain and harden account access

• If this is a Microsoft account (Outlook.com/Hotmail/Live), follow the hacked/compromised account process:
  • Clear malware (step above), then change your password again to a strong, unique one.
  • If unable to sign in or if prompts for codes you do not control appear, use the official account recovery form and process described in “How to recover a hacked or compromised Microsoft account”.
• After regaining access, immediately:
  • Enable two-step verification and ensure only your own devices and methods are registered.
  • Remove any unrecognized authentication methods or devices from the account’s security settings.

3. Review and clean mailbox configuration Even if some checks were already done, repeat them carefully after securing devices and resetting the password, because an attacker may have re-added persistence:

• In Outlook.com / Outlook on the web:
  • Re-check Rules for any suspicious or unfamiliar rules (including ones that move messages to Drafts, Junk, Notes, RSS, or delete/forward mail) and delete them.
  • Re-check Forwarding and remove any external forwarding addresses.
  • Re-check Automatic replies and clear any content the attacker may have set.
• For Microsoft 365 work/school accounts (if applicable):
  • Check for suspicious inbox rules and forwarding using the guidance in “Respond to a compromised cloud email account”, including rules that move mail to Notes, Junk Email, or RSS Subscriptions, or that forward externally.

4. Terminate attacker access and app permissions

• Use the account security portal to sign out of all sessions again after the password change.
• Remove any unrecognized apps or services that have access to the account (app permissions / connected apps). Attackers often use these to keep access even after a password change.
• For Microsoft 365 work/school accounts, follow the “Secure and Restore Email Function to a Compromised Microsoft 365 Mail Enabled Account” steps:
  • Revoke sign-in sessions.
  • Review and remove suspicious MFA devices.
  • Review and revoke any untrusted applications with user consent.
  • Review and remove any unnecessary or suspicious administrative roles.
  • Review and remove any mailbox forwarding configured via PowerShell if needed.

5. Check for ongoing compromise indicators

• Watch for the common symptoms listed for compromised Microsoft 365 email accounts:
  • New or reappearing suspicious rules.
  • Messages in Sent Items or Deleted Items that you did not send.
  • External forwarding suddenly re-enabled.
  • Frequent unexpected password changes or lockouts.
• If any of these reappear after cleanup, assume either a device is still infected or an app/permission path is still open and repeat the device and permission checks.

6. Treat the blackmail message as phishing/extortion

• Do not pay, reply, or click any links in these messages.
• Mark the messages as junk/phishing in Outlook so that Microsoft’s filters can learn and block similar mail.
• The described “RAT on all devices” and “recorded videos” are standard scare tactics used in sextortion spam; the remediation focus should remain on cleaning devices and securing the account.

7. Protect other linked accounts

• Any other accounts that used this email for sign-in or recovery should be treated as potentially exposed:
  • Change their passwords (all unique, strong).
  • Enable multi-factor authentication where available.

8. Monitor and, if needed, use official support channels

• Regularly review the Recent activity page for the Microsoft account to confirm that only recognized sign-ins appear.
• If recovery or security tools show errors or the account recovery form fails repeatedly, use the official Microsoft support/contact paths described in the referenced Q&A guidance to reach a support agent and report the compromise and ongoing behavior.

---

References:

• Help protect your Outlook.com email account
• How to recover a hacked or compromised Microsoft account
• Phishing and suspicious behavior in Outlook
• What happens if there's an unusual sign-in to your account
• Respond to a compromised cloud email account
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• Is this legit email also? - Microsoft Q&A
• Email from M!CROSOFT - Microsoft Q&A