My account was hacked and I keep receiving scam emails

Question

"My Outlook account was hacked. I have secured it but I keep receiving repeated scam emails with subject the same subject line. A suspicious rule 's0zthtrq' was created by hackers. Microsoft's security email was also blocked by hackers. Please help stop these emails and investigate."

Answer 1

Hi, I'm John!

This is a phishing attempt. Please don’t click on any links or respond to the message. Scammers often use these tactics to trick people into giving away personal information or money.

About the persistent draft being credited:

If you haven't tried anything yet, please start by running a full antivirus scan on your computer using Windows Security and any third-party antivirus software you have.

Run a full deep scan using a trusted security tool:

• Download and run Microsoft Safety Scanner here: https://learn.microsoft.com/defender-endpoint/safety-scanner-download
• After running the scan, please restart your PC and monitor whether the issue continues.

---

To be safe, I recommend the following steps:

Check your account rules and forwarding settings, hackers create rules that automatically forward or delete emails. You can do this in Outlook settings under Mail > Rules and Forwarding. https://support.microsoft.com/office/manage-email-messages-by-using-rules-in-outlook-c24f5dea-9465-4df4-ad17-a50704d66c59

Just to be safe, I’d recommend to sign out everywhere. Visit: https://account.live.com/proofs/manage/additional Scroll down to Sign me out and select "Sign me out".

• After signing out everywhere, please monitor if the issue persists in the coming hours.

---

"How to help keep your Microsoft account secure" https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9

---

I really hope this information is helpful! Let me know if you have any further questions or concerns.

Regards,

John J.D.

Answer 2

To stop the repeated scam emails and ensure the hacker no longer controls the mailbox, follow these steps in Outlook on the web/Outlook.com:

1. Remove malicious rules and forwarding

• Go to Settings (gear icon) → Mail → Rules.
• Delete any suspicious rules, including the one named s0zthtrq and any others that move, delete, or forward messages automatically.
• Go to Settings → Mail → Forwarding and remove any forwarding addresses that were added without consent.

2. Check for other compromise indicators

• Review automatic replies and signatures for any scam content and remove it.
• Check Sent Items, Deleted Items, and Drafts for messages the attacker created (for example, blackmail or scam drafts) and delete them.
• If using Microsoft 365 with admin access, also review mail flow rules and connectors as described in the guidance for compromised accounts.

3. Secure the Microsoft account itself

• Run a full antivirus/malware scan on every device used to access the account before changing anything else.
• Change the account password to a strong, unique one using the official Microsoft account security page.
• Ensure multi-factor authentication (MFA) is enabled and that only trusted devices and authentication apps are registered.
• Review recent activity at https://account.live.com/activity to see where and when the account has been accessed. If unfamiliar sign-ins appear, secure the account and sign out of all sessions.
• Add or confirm alternate email and mobile phone as security info so recovery is easier if this happens again.

4. Use Outlook’s built-in protection

• Mark any remaining scam messages as Junk or Phishing so Outlook’s filters learn and block similar emails.
• Watch for yellow and red safety bars and avoid clicking links or opening attachments in suspicious messages.

5. If the account appears compromised again

• Follow the official hacked-account recovery steps in the Microsoft guide for a hacked or compromised Microsoft account.
• If unable to sign in or if security info was changed by the attacker, use the Microsoft account recovery form and follow the documented process. If that fails, there is no alternate manual bypass for consumer Outlook.com accounts.

These steps remove the hacker’s persistence (rules/forwarding), restore normal mail flow, and harden the account so the repeated scam emails stop or are filtered to junk.

---

References:

• How to recover a hacked or compromised Microsoft account
• Help protect your Outlook.com email account
• Phishing and suspicious behavior in Outlook
• Respond to a compromised cloud email account
• My account got hacked - Microsoft Q&A
• My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• hello my email was (Moderator note: PII removed)@icloud.com and now its (Moderator note: PII removed)@jerkoffmail.com can please someone help me and the team change it my username in xbox is (Moderator note: PII removed) please help me team and change it - Microsoft Q&A
• Email from M!CROSOFT - Microsoft Q&A