A compromised Microsoft account can expose email, cloud files, subscription data, and the reset paths for other services. The right order is usually the same: secure the inbox and phone first, remove attacker persistence, then harden the account so the takeover does not repeat.
If the Microsoft account is also your Outlook inbox, treat the mailbox as the incident center. If it is a work or school account, the control plane may be your organization’s identity system, not just the password you see on screen.
| Signal | First move | Why it comes first |
|---|---|---|
| You can still sign in | Change the password on a trusted device, then review Recent activity and security info | Live sessions are the fastest way back into the account |
| Security info was changed | Use Microsoft’s Sign-in Helper and the recovery form, then wait out any pending security-info change state | Microsoft may restrict the account when recovery methods were replaced |
| Mail is still flowing to the attacker | Remove forwarding, inbox rules, and delegate or shared access before you do anything else | Password resets are useless if the attacker keeps receiving messages |
| Work or school account | Check My Sign-ins and contact IT or your Microsoft 365 admin | Organization policies can control recovery, delegation, and device access |
Key idea: If an attacker still controls your mail flow, every password reset is temporary.
Start here
Sort the incident before you start clicking recovery links. The first branch is whether you can still sign in somewhere. The second is whether the attacker changed the security info or the mailbox itself. The third is whether this is a personal Microsoft account or a work or school account.
If the problem spans more than Microsoft, use how to check if you’ve been hacked to separate the account problem from a device or identity problem. If the device looks suspicious, check how to detect spyware before you try recovery on that same machine again.
Personal account or work/school account
Personal accounts are recovered through Microsoft’s public account flow. Work or school accounts are different: your admin may control password resets, security settings, delegate access, and device sign-in rules. If the account belongs to an organization, route the case through IT and compare it with Google Workspace or Microsoft 365 admin compromised so you do not spend time fighting controls that only the admin can change.
For work or school accounts, Microsoft publishes My Sign-ins so you can review sign-in history and spot unusual activity before you reset deeper controls.
Do not: change every security method at once. If all security info is removed and replaced, Microsoft can put the account into a 30-day restricted state.
If you can still sign in
Change the password on a trusted device
Change the password immediately from a clean device. Microsoft’s unusual-sign-in guidance says to start from Security basics, review Recent activity, and then change the password if the activity is not yours. Use that path instead of guessing from memory.
Open Security basics and look for Recent activity. If Microsoft shows options such as This wasn’t me or Secure your account, use them when the activity is unauthorized. Labels vary a bit by device and region, but the action is the same: mark the sign-in as suspicious and stop the session from continuing.
If you are not already using stronger sign-in protection, add two-factor authentication (2FA) and, where available, passkeys. A password alone is too easy to replay after phishing or token theft.
Review security info and recovery methods
Attackers often replace the phone number, alternate email, or authenticator entry used for account recovery. Remove anything you do not recognize and add methods that you actually control. Redundancy matters, but only if the extra methods are yours.
If the account shows security info change is still pending, Microsoft says the account can stay restricted for 30 days when all security info was removed and replaced. That delay is deliberate, because it gives the original owner time to notice the change and it blocks the attacker from completing the takeover immediately.
Clean up mailbox persistence
For Outlook.com or Microsoft-hosted mailboxes, check for automatic forwarding, mail rules that hide or delete alerts, and any delegate or shared-mailbox access that should not exist. Forwarding is a direct path for password reset messages, so it matters even when the rest of the account looks stable. Microsoft documents automatic forwarding in Outlook, and it documents delegate access for work or school mailboxes. Both are legitimate features, which is why attackers abuse them.
- Remove unknown forwarding addresses.
- Delete inbox rules that move, delete, archive, or mark security emails as read.
- Review delegated access or shared mailbox permissions if the account is a work or school mailbox.
- Check whether another device or app is still syncing the mailbox.
Microsoft’s automatic forwarding page explains the feature directly, and the delegate access page shows how send-on-behalf permissions work in Outlook for Microsoft 365 and Exchange Online.
Review connected apps and device access
Anything that can read mail or sign in on your behalf becomes part of the incident. Review the apps and devices that still hold access, then remove the ones you do not recognize. If you use Microsoft Authenticator, remove accounts you no longer trust from the app and re-add only what you control. A compromised authenticator entry is just another recovery loop.
For a broader account-hardening pass after the incident, use how to protect your online information so the inbox, password manager, and recovery channels are not all exposed at once.
Check the impact beyond Microsoft
Search the mailbox for password reset notices, order confirmations, or account-change messages from other services. If you find resets for social accounts, payment accounts, or cloud services, treat those as separate incidents and rotate them too. If the compromise looks wider than one mailbox, start with been hacked and what to do if your personal identity has been misused or stolen so you do not miss the real control plane.
Common mistake: assuming a clean password means a clean mailbox. If forwarding or delegate access remains, the attacker can keep receiving resets even after you change the password.
If you cannot sign in
Start with the Microsoft account sign-in helper. Microsoft says most sign-in issues can be identified there, and it points you to the recovery form when needed.
If you use the Microsoft account recovery form, Microsoft sends the result to the working email address you provide within 24 hours. If the form does not verify the account, Microsoft says you can keep trying, up to two times per day. Keep the details consistent so the form sees the same identity story each time.
Microsoft also says its support agents are not allowed to send password reset links or access and change account details. That is an important expectation check. If someone offers to "escalate" your account by bypassing Microsoft’s own flow, assume it is a scam.
If you have a Microsoft account recovery code, use it. Microsoft describes it as a 25-digit code that can help you regain access if you forget your password or the account is compromised.
Safety note: Only use Microsoft’s own sign-in helper, recovery form, and support pages. Third-party recovery offers are a common impersonation scam.
When security info was removed or replaced
If you see the message that security info change is still pending, Microsoft says the account can stay restricted for 30 days. During that window, do not keep changing recovery methods unless you are undoing a change you made yourself. The waiting period exists to block an attacker from replacing your recovery channels and then immediately finalizing the takeover.
If the removal was not yours, assume the account is in a defense state and focus on proving ownership through the official flow rather than trying to force the timing.
If the mailbox is still being used
Some compromises are obvious because the attacker is sending mail or hiding inbound alerts. That is where cleanup order matters most. Review forwarding first, then rules, then delegate or shared access, then connected apps. If you do the password first and the mail flow second, you can still lose the account through a reset message that lands in the attacker’s inbox.
Microsoft’s Outlook forwarding guidance and delegate-permission pages are useful here because they show how legitimate forwarding and delegation work. That also makes the abuse easier to recognize: if you did not set it up, remove it.
For work or school mailboxes, the delegate path can be especially important. Microsoft notes that delegate access applies in Microsoft 365 or Exchange Online contexts, so if you find it on an organizational account, that is usually an IT problem as well as a user problem.
What to verify before you sign back in everywhere
Do not rush the re-login phase. Re-entering a compromised account from the same laptop or phone can recreate the takeover if the device itself is the weak point. Make sure the password is changed, Recent activity is clean, forwarding and rules are gone, and any unknown security info or authenticator entries have been removed.
If you need a broader control-plane check, use how to protect your online information to review password hygiene, 2FA, and recovery-channel separation. If the incident involved stolen identity data or false account changes, use what to do if your personal identity has been misused or stolen so you do not miss downstream fraud.
Prevent repeat compromise
Microsoft account recovery is usually more durable when the recovery mailbox, phone, and device are separated from each other. Do not make one inbox responsible for every reset if you can avoid it. Use unique passwords, keep 2FA enabled, and prefer passkeys or authenticator-based protection over SMS when the account and device support it.
Keep a recovery code somewhere offline if the account supports one. Update recovery methods only when you are in control of the existing methods, and avoid large same-day changes across every security setting. If you are operating a work or school account, keep the organization’s sign-in history and device controls in the loop so the admin can spot unusual access sooner.
A stable Microsoft account should have a simple shape: the password belongs to you, Recent activity matches your devices, the mailbox has no stealth forwarding, and any delegate or shared access is intentional. Once that shape is restored, the incident stops being a scramble and becomes a normal maintenance task.
If the same account keeps drifting back into suspicious activity, stop treating it like a password problem. That pattern usually means the inbox, the device, or the organization’s identity controls are still compromised.