![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 85%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Follow these steps immediately to regain control and protect the OneDrive content and account.
- Recover and secure the Microsoft account
- Use the official hacked-account recovery flow: How to recover a hacked or compromised Microsoft account.
- The sign-in helper will:
- Ask for the email/phone.
- Guide through self-help or connect to an agent if eligible.
- If the attacker changed security info (alternate email, phone, etc.), complete the recovery form as accurately as possible. If it fails, submit again from a different device/network as suggested in the Q&A guidance.
- If recovery fails
- Account recovery for personal Microsoft accounts is fully automated. As described in the Q&A answers:
- If the recovery form does not succeed and the attacker has replaced the security info, there is no other method to regain access.
- Microsoft Support and community forums cannot override the automated process.
- Once access is regained, lock the attacker out After successfully signing back in and passing any security checks:
- Change the password to a strong, unique one.
- Review and remove any attacker-added security info and aliases (email addresses, phone numbers, sign-in names) in the account’s security settings.
- Add secure verification methods (for example Microsoft Authenticator) as described in the account security guidance linked from the recovery article.
- If any “security info change pending” message appears, follow the built-in options on that screen (such as “Let us know” if the change was unauthorized), as described in the Q&A guidance.
- Protect and restore OneDrive evidence files Once the account is secure and the attacker is locked out:
- If many OneDrive files were deleted or modified, use OneDrive restore:
- For work/school OneDrive or SharePoint: follow the “Restore your OneDrive” / “Restore a shared library” guidance in the article on recovering missing, deleted, or corrupted items.
- For personal OneDrive with Microsoft 365 subscription, use the “Restore your OneDrive” feature described in the personal OneDrive article to roll back to a point in time (up to 30 days).
- Be aware:
- Restoring to a previous point will send files created after that date to the OneDrive recycle bin; they can be restored from there.
- If files are still missing after restore
- For work/school OneDrive:
- Check the OneDrive/SharePoint recycle bin and restore items if present.
- If items were deleted from the recycle bin, an admin might still be able to restore them using SharePoint recycle bin management.
- For personal OneDrive:
- Use the search and recycle bin guidance in the “Find lost or missing files in OneDrive” article.
- If files still cannot be found, support agents cannot access or restore personal content beyond the documented options.
- If the account is used in Microsoft 365 (work/school)
- Treat this as a compromised cloud email account:
- Follow the Defender for Office 365 guidance for responding to a compromised cloud email account to ensure the mailbox, OneDrive, and SharePoint content are secured.
- If the account cannot be recovered
- As stated in the Q&A guidance, if the automated recovery process cannot verify ownership and the attacker has fully replaced security info, the account and its OneDrive content are typically not recoverable.
For urgent personal safety concerns (for example, harassment, stalking, or threats), contact local law enforcement and provide them with any evidence already in possession, including any copies of files that may exist outside OneDrive.
References:
- How to recover a hacked or compromised Microsoft account
- Hello , welcome to Account help & learning
- Respond to a compromised cloud email account
- How to recover missing, deleted or corrupted items in SharePoint and OneDrive for work or school
- Find lost or missing files in OneDrive
- my microsoft account has been compromised - Microsoft Q&A
- My account got hacked. - Microsoft Q&A
- Account hacked - Microsoft Q&A
- How do I send an email to Microsoft about my account being hacked and taken over by <removed> ? - Microsoft Q&A
- My account got hacked - Microsoft Q&A