Compromised Microsoft Account

Question

Hello, I have gotten a Microsoft account hacked via a session token stealing virus. Someone from the Russian Federation got us. But oddly, we still have access to the account and even managed to revert the main alias back to what it was before the bot changed it to a burner email. Despite that, there's a huge problem. We did not have a security email, and because of that, the perpetrator added their own, and we have to wait 30 entire days for it to change to a new one we've set. This is really bad because they still have the capability of easily canceling this process, we need them gone ASAP**.

**Maybe I'm looking in the wrong places but I haven't been able to find support for this. When I've contacted Microsoft via phone I'm sent straight to an Ai bot that does not understand my problem, and at a certain point, started repeating the same thing before hanging up on me.

If you have any idea on what next steps I should take and where I can go for support for this, please tell me. Thank you for taking the time to read.

Answer 1

Hey there! Nice to meet you!

Since you were able to request a security info change, I'm afraid your only option is to wait for the 30-day restriction state to complete. The hacker has their email added to your account, this means that they have full control over your account, and they can simply cancel your security info change request.

If this happens, you will need to try requesting again, and hopefully, the hacker will not notice.

Unfortunately, it is also not possible to bypass the 30-day restriction state.

However, if the 30-day restriction state is complete, you will be able to remove the hacker's security info email/phone number from your account using your newly added security info.

Lastly, please be advised that Microsoft Support will not be able to assist you with manual recovery, unblock, security info management, and escalation for this case, as stated in this article, that they are not permitted to send password resets, access, or even change any details on the account:

https://support.microsoft.com/account-billing/help-with-the-microsoft-account-recovery-form-b19c02d1-a782-dee6-93c3-dc8113b20c42

Thank you for your understanding! Please let me know if you need anything else.

Best regards,

Darhyl

Answer 2

The 30-day security info change period cannot be shortened or overridden, even in compromise cases. The only supported options are those built into the “security info change is still pending” flow.

Use these steps, depending on who initiated the change:

1. Check the “security info change is still pending” screen
   • Sign in to the Security page for the Microsoft account.
   • If the banner says "Your security info change is still pending" or "You can't access this site right now", the account is in the 30‑day restricted state because all previous security info was removed and replaced.
2. If the security info removal was done by the account owner
   • On the Your security info change is still pending window, select cancel this request and follow the prompts.
   • This only works if there is still access to the original security proofs (old email/phone) that were on the account when the change was made.
3. If the attacker made the security info changes
   • On the same Your security info change is still pending window, select let us know at the bottom and follow the prompts to report that the change was unauthorized.
   • This is the only supported way to flag that the pending security info change was done by someone else.
4. What can and cannot be done during the 30 days
   • When all security info is removed, the account is put into a restricted state for 30 days. During this period, the change cannot be expedited by support.
   • Microsoft sends notifications about the change to the original security info (old phone/email) during these 30 days to alert the legitimate owner.
5. If the attacker added an alias or forwarding
   • Since there is still access to the account, review and remove any attacker-added aliases or forwarding rules once access to security settings and Outlook.com is available:
     • Use Manage how you sign in to remove any email aliases not recognized.
     • In Outlook on the web, check Forwarding and Rules and remove anything suspicious.
6. If the account becomes unrecoverable
   • If the attacker ultimately replaces all security info and the account recovery form fails, the account may become unrecoverable. In that case, the guidance is to follow the hacked/compromised account article and the account recovery form as the only supported recovery path.

For additional protection while access still exists:

• Follow the hacked-account guidance to scan devices for malware, change the password, and review account settings such as connected accounts, forwarding, and automatic replies.

---

References:

• What does “Security info change is still pending” mean?
• How to recover a hacked or compromised Microsoft account
• My account got hacked. - Microsoft Q&A
• Need help with hacked microsoft account - Microsoft Q&A
• my microsoft account has been compromised - Microsoft Q&A
• My account got hacked - Microsoft Q&A
• Respond to a compromised cloud email account