Take immediate steps to secure the Outlook/Outlook.com account and remove the attacker’s access.
- Regain and secure account access
- Change the account password to a strong, unique one that is not used anywhere else.
- If not already enabled, turn on two-factor authentication (2FA) / multi-factor authentication for the Microsoft account so a password alone is not enough to sign in.
- If sign-in is blocked or the password has been changed by the attacker, follow the hacked-account recovery guidance at My Outlook.com account has been hacked (linked from the phishing and protection articles in the references).
- Sign out attackers and remove their access paths
- Use the Microsoft account security page to sign out of all active sessions so any attacker currently logged in is disconnected.
- Review and remove any unknown app permissions or connected apps that might allow continued access.
- Clean up malicious mailbox configuration
A compromised mailbox often shows specific symptoms and configuration changes:
- Check for suspicious inbox rules:
- In Outlook on the web, open Settings → Mail → Rules and delete any rules that:
- Automatically forward email to unknown addresses.
- Move messages to Notes, Junk Email, or RSS Subscriptions unexpectedly.
- Check for external forwarding:
- In Outlook on the web, review Mail → Forwarding and remove any forwarding addresses that were not set up intentionally.
- Review mailbox content and settings:
- Look for suspicious messages in Sent Items and Deleted Items (for example, messages changing payment or banking details).
- Check the email signature for any fraudulent content (such as fake banking details or payment instructions) and remove it.
- Verify contact details in the account profile/global address list entry (name, phone, address) and correct any changes.
- Protect contacts and ongoing business
- Inform affected customers and contacts using a trusted channel (phone or a separate verified email) that the account was compromised and that any recent messages changing payment or wiring instructions may be fraudulent.
- Instruct them to ignore or delete suspicious messages and to verify any financial changes directly.
- Watch for signs of continuing compromise
Common signs that the account is or was compromised include:
- Mailbox blocked from sending email.
- Missing or deleted email.
- Suspicious inbox rules or external forwarding.
- Frequent password changes or unexplained account lockouts.
If any of these reappear after cleanup, repeat the security steps above and consider running security scans on all devices used to access the account.
- Ongoing phishing awareness
- Be cautious of emails that:
- Promise rewards or urgent actions (for example, tax refunds, invoices for things not purchased).
- Ask to enter the email address and password to open a document or unlock an attachment.
- In Outlook and Outlook.com, watch for:
- A ? in the sender image (unverified sender).
- A via tag showing a different sending domain than the visible From address.
- Yellow or red safety bars warning about blocked or unsafe content.
These steps remove the attacker’s access routes (password, sessions, rules, forwarding, app permissions) and help prevent further fraudulent emails from being sent as if they were from the account.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 55.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
