Hacked hotmail

Question

Sequence of events:

Earlier today I received a sextortion scam email claiming that a hacker had installed a Trojan/RAT on my device and demanding payment in Bitcoin. The message included an old password and threatened to send videos to my contacts if payment was not made.

Immediately after receiving that email the mailbox behavior changed drastically.

What happened next:

• My inbox was wiped

• All emails I had previously sent were deleted

• All drafts were deleted

• Incoming emails now appear in the inbox for about one second and then disappear automatically

Important details:

• The disappearing messages do NOT appear in Deleted Items

• They do NOT appear in Junk

• They do NOT appear in Archive

• They simply vanish from the mailbox

In addition, messages are now appearing in my Inbox that are marked as Drafts. When I try to delete these items from the Inbox, Outlook asks:

“Are you sure you want to discard this draft?”

This suggests draft items are somehow appearing inside the Inbox folder.

The scam email message also keeps appearing as part of the mailbox view and sometimes appears as a draft even though it is displayed in the Inbox.

At one point there was an inbox rule present with the name [PII: Removed]. I deleted that rule, but the mailbox behavior continued after the rule was removed.

Security steps already taken:

• Password changed multiple times

• Two-factor authentication enabled

• Signed out everywhere

• All inbox rules removed

• Forwarding disabled

• POP and IMAP disabled

• Connected apps removed

• Devices removed

I contacted Microsoft support chat several times but they say the account is fine and cannot see a problem.

However the mailbox clearly behaves incorrectly and is effectively unusable because incoming mail cannot remain in the Inbox.

Because of this I cannot receive password resets, banking notifications, or other important communications.

Please escalate this issue to the Outlook mailbox engineering team to:

• check for hidden server-side rules

• check for connected clients deleting messages

• reset the mailbox rule table

• reset the mailbox configuration

The account itself is accessible but the mailbox cannot receive emails normally.

Answer 1

Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.     

Please note that this is a user-to-user community. As moderators, I have limited access to internal development details. My role is to direct users to the appropriate support channels and resources. While I cannot provide backend analysis, I will do my best to assist you within my responsibilities.   

---

Hi noah

I understand you’re having issues with your Outlook.com/Hotmail mailbox after a compromise: incoming mail briefly appears and then vanishes (not in Deleted/Junk/Archive), drafts are showing in Inbox, and you previously noticed a suspicious rule name. Please follow these steps: 

1) Check whether mail is being routed to Other (Focused Inbox) 

If Focused Inbox is enabled, messages may be landing in Other instead of the main inbox view. Check Inbox > Other, and if you find the message there, move it back to Focused.  

Reference: Email is missing from your Outlook.com inbox - Microsoft Support 

2) Check whether messages are being removed but still recoverable 

Even if you don’t see messages in Deleted Items, Outlook.com can still keep them temporarily recoverable. In Deleted Items, use “Recover items deleted from this folder” to look for and restore missing messages. 

3) Review sign-in history and mark unauthorized activity 

Microsoft’s Recent activity page shows sign-in activity in the last 30 days. If you see Unusual activity, you can select “This wasn’t me” and follow the prompts to secure your account.  

4) Escalation

For compromised accounts, please fill in the account recovery form and contact support if the form fails: 

• Visit Contact - Microsoft Support (Only chat support is available for personal account) 
• Type a brief description of your issue in the search box  
• Scroll down to the bottom > select Sign in to contact support  
• Log in to another available personal Microsoft account.   
• Under Products & Services, select "Other Products"; Under Categories, select "Manage account security", and click Confirm.  
• Click "Chat with a support agent in your web browser" (during business hours) 

Thank you for your understanding.  

Answer 2

The mailbox shows classic symptoms of a compromised Outlook.com/Microsoft account with malicious rules or apps still acting on the mailbox, even after visible rules were removed.

Based on the documented guidance, the following steps are required to contain and remediate:

1. Treat the account as compromised and follow the official recovery flow
   Follow the steps in How to recover a hacked or compromised Microsoft account:
   • Step 1 – Scan all devices that have ever accessed this mailbox (PCs, phones, tablets) with an up‑to‑date antivirus/antimalware solution and run a full scan before changing any more passwords.
   • Step 2 – Change the Microsoft account password again after scans complete, using a strong password as described in the article. Do this from a known‑clean device only.
   • If sign‑in issues occur, use the official password reset flow as described in the same article.
2. Verify account security and sign‑in activity
   • Go to the Recent activity page to review sign‑ins for the last 30 days and confirm whether there are suspicious sign‑ins or locations.
   • If suspicious activity is found, continue with the hacked/compromised account guidance and complete all recommended steps.
3. Re‑check Outlook.com mailbox configuration from the web
   Even though many steps were already taken, the official guidance emphasizes checking these again after securing the account:
   • Rules: In Outlook on the web, go to Rules settings and verify there are no Inbox or Sweep rules that move or delete messages. Delete any suspicious rules.
   • Forwarding: Confirm that forwarding is disabled and no unknown addresses are configured.
   • Connected accounts / apps: Re‑check connected accounts and remove anything not recognized.
   • Automatic replies: Ensure no malicious automatic replies are configured.
4. Look for compromise indicators in the mailbox
   The behavior described (missing/deleted mail, suspicious rules, continuous draft behavior) matches the common symptoms of a compromised Microsoft 365 email account:
   • Missing or deleted email.
   • Suspicious Inbox rules that move or forward messages.
   • Potential external forwarding or app‑based access.
     If any of these are still present, continue remediation as for a compromised mailbox.
5. Use “Sign out everywhere” and keep MFA enforced
   • After changing the password and confirming devices are clean, use the Microsoft account security options to sign out everywhere so any active attacker sessions are invalidated.
   • Keep two‑factor authentication (MFA) enabled. As seen in a similar case, once MFA was properly in place, the malicious rule stopped re‑creating itself.
6. Check for mailbox rules/forms attacks if using Microsoft 365
   If this Outlook.com address is also used in a Microsoft 365 context (for example, as a mailbox in an organization), follow the Defender for Office 365 guidance to detect and remediate Outlook rules/forms attacks, including:
   • Enumerating Inbox rules server‑side.
   • Removing hidden or malicious rules.
   • Reviewing connectors, add‑ins, and any external forwarding.
7. If self‑service recovery fails, persist with official support paths
   • Use the Microsoft account recovery form and provide as much accurate historical information as possible if access is lost again.
   • If the automated recovery or forms fail or show errors, contact Microsoft Support via the official support portal and report the account as compromised, referencing the symptoms: disappearing mail, reappearing drafts, and previously seen malicious rule names (such as idtienphuoc1).
8. Warn contacts and monitor for further abuse
   • Inform contacts from another email or communication channel that the account was compromised and that any unusual messages, especially those requesting money or containing links/attachments, should be ignored.
   • Continue to monitor the Recent activity and mailbox behavior after remediation.

If, after completing all steps in the hacked/compromised account guidance and verifying rules/forwarding/connected apps, the mailbox still auto‑deletes or converts items to drafts, this must be handled by Microsoft support through the official channels, as only they can reset internal mailbox state or rule tables on the service side.

---

References:

• Email is missing from your Outlook.com inbox
• Respond to a compromised cloud email account
• How to recover a hacked or compromised Microsoft account
• Help protect your Outlook.com email account
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• I have seen great advice for deleting the idtienphuoc1 Rule but none for stopping it from re-adding itself - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• hello my email was (Moderator note: PII removed)@icloud.com and now its (Moderator note: PII removed)@jerkoffmail.com can please someone help me and the team change it my username in xbox is (Moderator note: PII removed) please help me team and change it - Microsoft Q&A
• Is this legit email also? - Microsoft Q&A