My Account was hacked

Question

My Account was hacked

Mark Munro-MacSwan 10

I have reset my password, added a 2-step authenticator, removed a suspicious rule and done a force log out of all devices. I spoke to a live chat agent who sent a follow-up link to live support but it was sent to the compromised email address, and its lost I cannot find the live chat option anywhere. The search help function comes up with zero help, no matter what keywords I put in.

Can anyone assist me?

0 comments

2 answers

Your answer

Answer 1

EmilyS726 222K Independent Advisor

Hello

Looks like you are already on the right path.

The sign out everywhere can take 24 hours to kick in, so it can be just a matter of time.

I am going to share with you the comprehensive list of things to do, please feel free to skip those you already did. This process can take a bit time, so please be patient as you go through it. I worked with quite a few users that managed to get this to work, but they all take time to go through. Here is an example: https://learn.microsoft.com/en-us/answers/questions/5806739/outlook-email-hacked?orderby=oldest&page=1&comment=answer-12639146&translated=false#answers

Please complete these steps on a computer, not on a smartphone or tablet.

====================

First, go to https://www.outlook.com and sign in.

Click the gear icon in the top right corner to open Settings.

Under Mail, review the following areas:

Rules

If any rules are listed, delete all of them.

Conditional formatting

If anything is set up there, delete it.

Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

Junk

Review Safe sender and blocked list. If you don't recognize any, remove them.

After that, exit Settings and return to outlook.com.

Open the To Do section by clicking the blue checkmark icon on the left side. Delete anything there that was not created by you.

====================

Go to https://account.live.com.

Under Your info > Sign-in preferences, review all aliases on the account. If you see any alias you do not recognize, remove it.

Next, go to the Devices section of your Microsoft account and remove any devices you do not recognize.

====================

Please also do the following in Security section

Change your password

Enable two-step verification

====================

Then go to Security > Manage how I sign in and make sure all contact information belongs to you.

On that same page, scroll down to App passwords and remove any existing app passwords.

Also on the same page, click on Sign out everywhere. This is intended to disconnect any active sessions that may still be connected. Please note that this can take up to 24 hours to fully take effect.

====================

In addition, this problem can sometimes be caused by a malicious script or infection on one of your devices.

Are you using a Windows computer to check email? Do you use an email app such as Outlook Classic or New Outlook?

If so, please open the app and remove the account from the app settings.

Then go to the Microsoft Safety Scanner download page:

https://learn.microsoft.com/defender-endpoint/safety-scanner-download

Download the 64-bit version, run a full scan, and let me know what the final results say.

Mark Munro-MacSwan 10 Reputation points

2026-03-07T16:16:15.0266667+00:00

Results showed nothing. The real problem is on my email account. Since I completed a force log out on all devices, a password change and removed a rule i found the emailing out has stopped. But now I still get a draft message with the same content. Any incoming email has the same email content. I have received notifications from companies saying im trying to change my email address too
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T16:22:37.2566667+00:00

Your case sounds just like the one I dealt with recently.. https://learn.microsoft.com/en-us/answers/questions/5806739/outlook-email-hacked?orderby=oldest&page=1&comment=answer-12639146&translated=false#answers

Did you check To-Do? The reappearance of the draft can be triggered by to-do, you need to clean all of that, and the existing drafts need to be manually cleaned too.

That seemed to work eventually for Jonathan in the other case. But there's one more thing you can do too - Go to your Microsoft account online https://account.live.com> Sign in > Your info > Sign in preference. Add an alias - You have two options here: Create new: this will allow you to use the native domain outlook.com to create a new alias. Add existing: this will allow you to add a 3rd party email address, such as yahoo, gmail, as long as they are not already associated with another Microsoft account. Once added, make this new alias your primary alias, do NOT delete the old alias. Then at the bottom, click on "Change sign in preference". On the next page, uncheck the box for the old alias. This means, from now one, the old alias cannot be used to sign into your Microsoft account, but it can be still used to receive emails, etc.
Mark Munro-MacSwan 10 Reputation points

2026-03-07T16:27:52.94+00:00

Yes there is a Task on ToDo
Mark Munro-MacSwan 10 Reputation points

2026-03-07T16:40:08.5166667+00:00

How do I remove this on ToDo
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T16:48:46.82+00:00

Click on the task name (see outlined), then use the delete key on your keyboard to delete. Don't click on the radio button, that will only complete it instead.
Mark Munro-MacSwan 10 Reputation points

2026-03-07T16:51:19.57+00:00

Okay so I have done that. When you replied I got an email from Microsoft to notify me but the body of the email was still ransomware content.
Mark Munro-MacSwan 10 Reputation points

2026-03-07T16:57:33.03+00:00

I have noticed now that ive cleared all the emails. All emails keep updating with the Ransomware letter
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T16:57:53.13+00:00

But need to give it a bit more time.

At the same time, did you remove your Microsoft account off any email app you can think of on all devices?
Mark Munro-MacSwan 10 Reputation points

2026-03-07T17:03:22.0733333+00:00

Do you mean from devices like my phone etc?
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T17:05:26.0366667+00:00

Yes, any device you can possibly think of.
Mark Munro-MacSwan 10 Reputation points

2026-03-07T17:11:49.6033333+00:00

Okay I have removed my Email Account from my phone, its the only device with that account attached. I am still receiving emails with the content overwritten, and drafts are flagged and pinned with the same letter
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T17:14:33.4833333+00:00

And removed from the computer too, right?

Have you done this too? Forwarding and IMAP

If you see any entries or settings you did not create, remove them. Turn off POP and IMAP.

And you also change the alias as I suggested above?

If so, give it a few more hours, and test again.
Mark Munro-MacSwan 10 Reputation points

2026-03-07T17:25:18.2466667+00:00

I have turned off POP and IMAP.

I havent tried the alias yet
EmilyS726 222K Reputation points Independent Advisor

2026-03-07T17:28:04.56+00:00

Ok Mark, please comb through everything I have listed so far.. these items are not optional, but are areas must checked.

Some changes can take time for the backend to propogate. So please give it some time to report back. I don't expect it to magically stop right away. As you see ther reference thread where I worked with Jonathan. It took several days to tackle all of his issues.
Mark Munro-MacSwan 10 Reputation points

2026-03-08T17:57:30.5266667+00:00

Okay, I have created an Alias. Since yesterday, a secondary email bombing occurred about 16hrs ago from my account.
EmilyS726 222K Reputation points Independent Advisor

2026-03-08T18:03:10.9866667+00:00

When you said bombing, I need to know -

Are they still turning your incoming emails into threats - for example, if you send yourself an email from another email, does it arrive normal?

Or, you are just getting a lot of spams in general?
Mark Munro-MacSwan 10 Reputation points

2026-03-08T18:13:42.6166667+00:00

If I send one to myself from another email it comes up as it should but after a few minutes the title changes and the body of the email changes to ransom letter.

The bombing is when my email address is sending out 100s of emails in minutes to other people.

I checked Permissions though and found an App Thunderbird that I didnt recognise, so I removed Permissions, did another force log out and checked again for rules and forwarding
EmilyS726 222K Reputation points Independent Advisor

2026-03-08T18:17:31.8733333+00:00

Yeah, that indicates that there's active session out there.

Did you remove app password as well, which was also one of the items in my original long list.

Check to-do again, did any come back?
joshua smith 0 Reputation points

2026-03-08T19:01:33.4766667+00:00

I'm a separate user sending this but I have also had the issue that the guy has stated above. Many emails are corrupted heavily by whatever the thing is and there are no active viruses on any of the computers that I've seen this on. Also gone ahead and done quite literally every single help page regarding it. The drafts are still continuously sent by whatever the attacker is using however.
Mark Munro-MacSwan 10 Reputation points

2026-03-08T20:10:18.5166667+00:00

I went to https://account.live.com/consent/manage and looked for anything suspicious. I found an app called thunderbird. I removed it, then did an alias change and another force log out, the draft activity stopped.

Answer 2

Take these steps to both secure the account and reach the right support paths again:

Verify and secure the account

Since the account was hacked, follow Microsoft’s compromised-account guidance:
- Change the password again to a strong, unique one (different from any used before).
- Ensure two-step verification (MFA) is fully enabled and working on a trusted device.
- If the account is part of Microsoft 365 (work/school), an admin should also revoke sessions using Microsoft Graph PowerShell:
  - Install and connect:
```
      Install-Module Microsoft.Graph.Authentication
      Install-Module Microsoft.Graph.Users.Actions
      Connect-MgGraph -Scopes User.RevokeSessions.All
```
  - Revoke sign-in sessions:
```
      Revoke-MgUserSignInSession -UserId <UPN>
```
- If the account is synced from on-premises Active Directory, reset the password in AD (twice) as per guidance.
- If the identity is federated, change the password in the on-premises environment.

Clean up any remaining attacker persistence

In Outlook on the web:
- Check Settings → Mail → Rules and delete any suspicious rules.
- Check Mail → Forwarding and remove any unknown forwarding addresses.
If using Microsoft 365/Exchange Online and you have admin rights, also review:
- Mail flow rules, connectors, and add-ins that could have been added.
Make sure app passwords (if used) are deleted and recreated, because they are not automatically revoked when you reset the password.

Strengthen protection going forward

Keep MFA enforced on the account; Microsoft highly recommends MFA, especially for any admin or high-value account.
Consider phishing-resistant MFA methods where available.
Review Microsoft’s guidance on keeping the account secure and consider going passwordless using Microsoft Authenticator, Windows Hello, or security keys.

Get back to official support options Because the previous live-chat link went to the compromised mailbox, use the official self-service and support entry points again from a browser:

For a hacked or compromised Microsoft account (including Outlook.com/Hotmail), start with the Sign-in Helper / hacked-account helper to get the right recovery and support flow.
If sign-in or recovery fails, use the Microsoft account recovery form from a device and location normally used with the account, and provide as much accurate information as possible.
If the recovery form or helper tools show technical errors, go through the main Account & Billing Help and Contact support flows to reach a chat agent again (these portals do not require the old chat link in email).

If the account is a free consumer Outlook.com/Hotmail account, only the automated recovery and security processes plus what support can do through those official flows can restore or further assist; there is no manual bypass of those protections.

References:

Share via

My Account was hacked

2 answers

Your answer