Hacked.com icon

hacked.com

How to Recover a Hacked Microsoft Account

Updated February 26, 2026By William Worrall
microsoft image

A compromised Microsoft account can expose email, cloud files, subscriptions, and reset paths for other services.

Recovery works best in sequence: secure the controlling inbox and phone first, remove attacker access, then harden sign-in and recovery settings.

First recovery actions

  • If you can still sign in, change your Microsoft account password immediately.
  • Secure your primary email and phone number if you suspect they are also compromised.
  • Review recent sign-in activity and sign out of sessions/devices you do not recognize.
  • Remove unfamiliar security info (email addresses, phone numbers, authenticator apps) and add your own.
  • Check Outlook rules and forwarding settings for stealth persistence.
  • If you cannot sign in, use Microsoft’s official recovery flow and expect security verification delays in some cases.

Key idea: Recovery is controlled by reset channels. If your email or phone is compromised, Microsoft recovery becomes a loop.

Step 1: Clarify what is actually compromised

People say “hacked Microsoft account” when different things happen. Clarifying the category helps you prioritize.

  • Password exposure: you see alerts, but your recovery info and devices look unchanged.
  • Account takeover: unfamiliar devices, security info changed, or you cannot sign in.
  • Mailbox compromise: suspicious rules, forwarding, or sent mail you did not send.

If you see compromise across multiple services, start with triage: How to check if you’ve been hacked.

Step 2: Determine whether this is a personal account or a work/school account

Microsoft accounts are used for both personal services and organizational accounts. The recovery authority changes depending on the account type.

  • Personal account: you control recovery through Microsoft’s public recovery flow and the email/phone attached to the account.
  • Work or school account: your organization’s IT and identity policies may control recovery and device access. Contact IT and follow official internal procedures.

Step 3: Secure the reset channel first

For many people, the true control plane is email. If your Microsoft account is also your email inbox (Outlook.com, Hotmail.com, Live.com), treat this as a mailbox compromise too.

  • Change the password from a trusted device.
  • Enable strong sign-in protection (2FA or passkeys where available).
  • Review recent sign-ins and sign out unknown sessions.
  • Check rules and forwarding settings for stealth persistence.

Common mistake: Fixing the Microsoft password but leaving forwarding rules or a compromised device in place. The attacker keeps receiving your recovery messages.

Step 4: If you can sign in to your Microsoft account

Change your password and sign out of other sessions

Use a long, unique password. After changing it, sign out of other sessions/devices where Microsoft provides that option.

Review recent sign-ins and devices

Look for unfamiliar sign-ins, devices, and patterns of repeated failures. Location data can be approximate, so prioritize unfamiliar device types and suspicious timing.

Fix security info and recovery methods

Attackers often add their own recovery email or phone number. Remove anything you do not recognize and add recovery methods you control. Redundancy matters: add more than one method if you can.

Check Outlook rules, forwarding, and mailbox permissions

Attackers often use mail rules to quietly forward resets for other services, delete security alerts, or move messages into obscure folders.

  • Remove unfamiliar rules.
  • Remove unknown forwarding addresses.
  • Review mailbox permissions (delegates/shared access) if applicable and remove anything you do not recognize.

Search for attacker activity inside the mailbox

Look for password resets you did not request for other services, support tickets you did not create, and unusual sent messages. If you find resets for other accounts, treat it as a broader incident and rotate those passwords too.

Incident workflow: Been hacked? What to do first.

Review connected apps and permissions

Some compromises include granting a third-party app access to email or profile data. Remove anything unfamiliar. When in doubt, remove and re-add only what you truly need.

Contain impact across linked services

After you regain access, review the surfaces attackers abuse:

  • OneDrive sharing links and shared folders.
  • Xbox purchase history and profile changes.
  • Subscriptions and payment methods (remove anything unfamiliar and dispute unauthorized charges through your bank).

Step 5: If you cannot sign in

Use Microsoft’s official recovery path and expect friction. Verification delays exist to prevent attackers from using the same flow to steal accounts.

  • Start from Microsoft’s official sign-in pages and use the account access options there (labels vary by region and account type).
  • If you are asked to complete a recovery form, provide consistent details and include accurate history if requested (subjects, contacts, subscriptions, billing information).
  • If security info was changed recently, you may face waiting periods before changes take effect.

Safety note: Avoid “account recovery” offers on social media. Microsoft recovery should happen only through Microsoft’s official sites and support flows.

Step 6: Prevent the repeat compromise

Most Microsoft account compromises come from password reuse, phishing, or a compromised device. Prevention is more about hygiene than tools.

  • Use a password manager and unique passwords.
  • Enable 2FA on Microsoft and any email accounts used for recovery.
  • Keep devices updated and avoid installing unknown helpers or cracked software.
  • Store recovery codes safely so a lost phone does not become a lockout.

Baseline: How to protect your online information.

If you suspect identity misuse beyond Microsoft, follow: What to do if your identity is stolen.

Common questions

Should I change passwords from my possibly infected computer?

If you suspect malware, change critical passwords from a different trusted device first. That reduces the chance an attacker sees your new credentials or intercepts verification codes.

Why am I being asked to wait?

Waiting periods can be a security control when sensitive changes were made. It is frustrating, but it can also be the thing that blocks an attacker from finishing the takeover through the same recovery flow.

Should I delete my account and start over?

Usually no. Regaining control and removing persistence is less disruptive and more durable. Starting over does not fix the root cause if devices or passwords remain compromised.

A recovered Microsoft account should feel predictable again: your security info is yours, your rules and forwarding are clean, and your sign-in history matches your devices. That baseline is what makes future alerts meaningful.

If the account keeps flipping back into a compromised state, treat it as a control plane problem: email and devices first, then Microsoft settings. The attacker returns through the same reset channel or the same infected machine.

Once you have unique passwords, strong 2FA, clean devices, and a mailbox with no stealth rules, this category of incident becomes rare. The goal is not perfection, it is stability.