My account was hacked - the hacker created forwarding rules that I cannot delete.

Question

I have tried every trick ChatGPT suggested to remove the rule. NOTHING works.

Please help!

Answer 1

Hello,

I am going to share with you the comprehensive list of things to do, please feel free to skip those you already did. This process can take a bit time, so please be patient as you go through these, in the particular order I laid out below:

Please complete these steps on a computer, not on a smartphone or tablet.

This problem can sometimes be caused by a malicious script or infection on one of your devices.

Are you using a Windows computer to check email? Do you use an email app such as Outlook Classic or New Outlook?

If so, please open the app and remove the account from the app settings.

Then go to the Microsoft Safety Scanner download page:

https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download the 64-bit version, run a full scan, and let me know what the final results say.

====================

Go to https://account.live.com.

Under Your info > Sign-in preferences, review all aliases on the account. If you see any alias you do not recognize, remove it.

Next, go to the Devices section of your Microsoft account and remove any devices you do not recognize.

====================

Please also do the following in Security section

Change your password

Enable two-step verification

====================

Then go to Security > Manage how I sign in and make sure all contact information belongs to you.

On that same page, scroll down to App passwords and remove any existing app passwords.

Also on the same page, click on Sign out everywhere. This is intended to disconnect any active sessions that may still be connected. Please note that this can take up to 24 hours to fully take effect.

==================

Go to https://www.outlook.com and sign in.

Click the gear icon in the top right corner to open Settings.

Under Mail, review the following areas:

Conditional formatting

If anything is set up there, delete it.

Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

Junk

Review Safe sender and blocked list. If you don't recognize any, remove them.

After that, exit Settings and return to outlook.com.

Open the To Do section by clicking the blue checkmark icon on the left side. Delete anything there that was not created by you.

Then finally, see if you can now delete the rules.

Answer 2

The forwarding rule keeps coming back because the attacker (or a malicious app/session) still has active access to the mailbox. The rule must be removed, but more importantly, all persistent access has to be cut off so it cannot be recreated.

Follow a full cleanup sequence, not just rule deletion:

1. Secure the Microsoft account
   1. Run a full malware/antivirus scan on every device that has used this Outlook/Outlook.com account recently. Do this before changing passwords.
   2. After the scan, change the Microsoft account password to a new, strong password.
   3. Turn on multi‑factor authentication (MFA) for the account and complete setup. In a similar case, once MFA was enabled, the malicious rule stopped recreating itself.
2. Kill any active sessions and app access
   1. Use the Microsoft account security page to sign out of all sessions (“Sign out everywhere”) so any attacker sessions are dropped.
   2. In the same security area, review and remove any unknown or untrusted apps that have access to the account.
3. Remove all malicious mail rules and forwarding
   1. In Outlook on the web, go to Settings → Mail → Rules and delete the suspicious rule (such as the idtienphuoc1 rule shown in the screenshot).
   2. Still in Outlook on the web, go to Mail → Accounts → Forwarding and ensure forwarding is disabled or only set to addresses that are trusted. Remove any unknown forwarding addresses.
4. If using Microsoft 365 with admin access
   1. In the Exchange admin center, review Mail flow → Rules for any organization‑level auto‑forward rules created by the attacker and remove them.
   2. Optionally, create a mail flow rule that blocks auto‑forwarding to external recipients to prevent future data exfiltration:
      • Go to Exchange admin center → Mail flow → Rules → + (Create a new rule).
      • Select More options.
      • Set Apply this rule if → The sender → is external/internal → Inside the organization.
      • Add condition The message properties → include the message type → Auto‑forward.
      • Set Do the following → Block the message → reject the message and include an explanation.
      • Save the rule.
5. Monitor and, if needed, repeat
   1. After enabling MFA and signing out everywhere, wait for propagation (can take some time) and confirm the rule no longer recreates itself.
   2. Continue to monitor Rules and Forwarding for a while to ensure nothing new appears.

If access to the account itself is lost or recovery fails, use the official hacked/compromised account recovery flow to regain control first, then perform the cleanup steps.

---

References:

• How to recover a hacked or compromised Microsoft account
• Stop auto-forwarding emails in Office 365 Business Premium
• Fix NDR error "550 5.1.10" in Exchange Online
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• I have seen great advice for deleting the idtienphuoc1 Rule but none for stopping it from re-adding itself - Microsoft Q&A