Outlook and Microsoft 365 takeovers often persist because the mailbox itself can be turned into an automation tool: hidden forwarding, attacker-controlled rules, and long-lived sign-in sessions can keep working even after you change a password.
Key idea: Treat this as two problems: identity access (who can sign in) and mailbox behavior (what the account does after sign-in). You need to fix both.
Start with a persistence sweep (15 to 30 minutes)
- Secure the recovery channels first. Lock down the email and phone number that can reset this account. If the recovery email is another mailbox, harden that too.
- Change the password from a known-clean device and do not reuse any password previously used with Microsoft services. Use a password manager and a truly unique password.
- Kick out old sessions. Sign out everywhere, and revoke existing sessions where possible (personal Microsoft account vs work or school accounts differ).
- Audit the mailbox for automation. Check for forwarding, inbox rules, delegates, and suspicious auto-replies or signatures.
- Check connected apps. Remove suspicious third-party access and anything you do not recognize.
- Turn on strong authentication. Enable two-factor authentication (2FA) or, if available for your account type, a more phishing-resistant method such as passkeys or security keys.
Know which control plane you are in
Security controls for Outlook can be governed by different systems depending on the account type. The recovery outcome changes based on which one you have.
- Personal Microsoft account (Outlook.com, Hotmail, Live). You control password, 2FA, recovery information, and most security settings directly.
- Work or school account (Microsoft 365/Exchange Online managed by an organization). Your security settings may be enforced by IT (for example, conditional access and device policies). You can still do user-level containment, but you may need an admin for full log review and mailbox configuration checks.
If this is a work or school account and you suspect compromise, involve your IT or security team early. They can validate sign-ins, review mailbox configuration, and contain lateral movement that a single user cannot see.
Containment and recovery steps if you suspect compromise
If you have indicators of compromise (unexpected password reset emails, messages sent you did not author, new forwarding, unexplained MFA fatigue prompts, or sign-ins from unfamiliar locations), treat speed as an advantage. Focus on steps that stop active access and remove persistence.
1) Secure identity access
- Reset the password and ensure it is unique. If you are reusing a password anywhere, assume attackers can re-enter via credential stuffing.
- Enable 2FA and store backup codes offline. Prefer authenticator apps or phishing-resistant methods over SMS when available.
- Review sign-in activity and recent security events. For personal accounts, Microsoft provides a recent activity view. For work or school accounts, the organization can review sign-ins from My Sign-ins or Entra ID logs.
- Remove unrecognized devices and sessions (or request an admin to revoke refresh tokens if you do not have that control).
- Check your security info (recovery email, phone, authenticator registrations). Remove anything added recently that you cannot explain.
2) Remove mailbox persistence
Mailbox persistence is where many recoveries fail. Attackers use rules and forwarding to quietly siphon resets, invoices, and threads that allow future compromise.
| Persistence technique | What it looks like | What to do |
|---|---|---|
| Hidden forwarding | Mail silently forwarded to an external address, sometimes only for certain subjects or senders | Disable forwarding and remove any external addresses you do not control |
| Inbox rules | Rules that auto-archive, auto-delete, or move security emails and bank alerts | Delete suspicious rules and re-check for new ones after you reset access |
| Delegate access | Another account can read or send as you | Remove delegates you do not recognize and verify permissions with IT if managed |
| OAuth / connected apps | A third-party app retains access even after password reset | Remove suspicious connected apps and revoke consent where possible |
| Auto-replies and signatures | Unexpected auto-reply text or new signature links | Remove malicious content and check for additional hidden rules |
Common mistake: Changing the password and stopping there. If forwarding and inbox rules remain, attackers can keep harvesting resets and sensitive threads.
3) Validate message integrity and account reputation
- Review Sent Items and Deleted Items for messages you did not send. Attackers often use compromised mailboxes to run payment diversion or credential harvesting.
- Check mailbox rules that target invoices (PDF, "wire", "ACH", "payment", "remit"). If you are a business user, treat this as a possible business email compromise (BEC) scenario.
- Notify affected recipients if you sent malicious links. Keep the message short and actionable (do not ask for passwords, do not ask them to reply with sensitive info).
4) If you cannot regain access
- If it is a personal Microsoft account, use Microsoft account recovery options and recent activity review to establish ownership.
- If it is work or school, escalate to your IT admin. They can reset credentials, enforce reauthentication, and verify whether device or conditional access policies are blocking you.
- If your mailbox is being used to scam contacts, contact the affected parties directly through a second channel (phone, verified Slack, known-good email) so you do not amplify the compromise.
What to ask your admin to check (work or school accounts)
If the mailbox is managed by an organization, some of the most important controls live in the admin plane. A user can change passwords and remove sessions, but admins can confirm whether the attacker still has a path in.
- Sign-in logs and risky sign-ins for the user and for privileged accounts associated with the incident timeframe.
- Token revocation and forced reauthentication for the impacted account and any related accounts.
- Mailbox forwarding and inbox rules including rules that do not show up in some clients.
- OAuth app consents and newly authorized enterprise applications that could retain access.
- Transport rules and tenant-level forwarding restrictions to reduce future exfiltration by email forwarding.
- Endpoint scope if the incident suggests device compromise, not only credential compromise.
Mailbox artifacts attackers commonly change
Even when you remove obvious inbox rules, there can be other subtle changes that keep the attacker effective. A quick review can prevent repeat fraud and reputational damage.
- Contacts and auto-complete poisoning: attacker-added contacts that look like vendors or executives.
- Conversation-level moves: rules that move specific threads out of sight so you do not see bank warnings.
- Forwarding to partner addresses: forwarding that looks legitimate because it uses a real business domain you recognize.
- Signature changes: links that redirect recipients to phishing pages or fake invoice portals.
If money is involved: treat it like BEC
If you see invoice manipulation, payment instruction changes, or vendor impersonation, speed matters. Email fraud often succeeds because the victim trusts an existing thread.
- Contact your bank quickly if you suspect a wire, ACH, or card transaction is fraudulent.
- Warn internal finance teams to verify payment changes using a second channel (known phone numbers, not the email thread).
- Do not keep the compromised mailbox as the coordination channel for financial remediation.
If you need a quick orientation on safer payment and verification habits, see which online payment option is the safest.
Hardening that prevents repeat compromise
Once the immediate incident is contained, the best hardening is the kind that breaks common re-entry paths: reused passwords, weak 2FA, and persistent app access.
Upgrade authentication
- Use an authenticator app or a phishing-resistant method such as a security key where supported.
- Store backup codes offline and treat them like passwords.
- Reduce reliance on SMS when possible (SIM swaps and helpdesk scams remain common).
Reduce app and protocol attack surface
- Remove third-party apps you do not actively use. If you do not recognize an app, treat it as hostile until proven otherwise.
- For managed Microsoft 365 accounts, ask IT whether legacy email protocols (older IMAP/POP/basic auth) are still permitted and whether additional restrictions are available.
Make phishing harder to execute
- Watch for Microsoft-branded login prompts that arrive by email or SMS and push you to sign in urgently. Validate the destination domain and avoid signing in from embedded links.
- If you are dealing with persistent phish, tighten your workflow: type known domains directly and use a password manager to only autofill on the correct site. See how to identify scam emails for pattern-level checks.
Signals that the compromise is bigger than one mailbox
Some Outlook incidents are a symptom of a broader identity compromise. Escalate when the indicators suggest an attacker has access to multiple accounts or devices.
- Multiple employees report MFA fatigue prompts or password resets around the same time.
- You see new forwarding or inbox rules across more than one mailbox.
- Suspicious sign-ins appear after password resets, suggesting token theft or malicious app consent.
- Bank or vendor payment instructions were changed in an active thread.
At that point, incident response is about preserving evidence and restoring trust in the environment, not only fixing one password. If you need a fast sanity check on containment steps, start with how to check if you have been hacked and align with the official support path for your account type.
Maintenance that keeps mailbox compromises from returning
After a cleanup, schedule one follow-up review. Attackers often wait for defenders to relax, then re-try with the same credential sets or with a different persistence technique.
- Re-check forwarding and inbox rules 24 to 72 hours after the incident, then again a few weeks later.
- Review connected apps after you rotate credentials. If you see new consents you did not grant, treat it as a sign that identity control is still weak.
- Keep an eye on the sender reputation of your domain and mailbox. If the account was used for spam, you may see deliverability problems.
- For organizations, consider periodic reviews of external forwarding settings and alerts for new forwarding rules.
Mailbox compromise is rarely about one clever trick. It is about small control failures that compound: reused passwords, weak recovery channels, and a lack of visibility into what the mailbox is doing on your behalf. Maintenance closes that loop.
Verified Microsoft resources
- Microsoft account security hub: aka.ms/accountsecurity
- Microsoft account recent activity: account.live.com/activity
- Support: check recent sign-in activity for a Microsoft account
- Support: view work or school sign-in activity from My Sign-ins
The mailbox is often where recovery either succeeds cleanly or fails quietly. If you can account for sessions, recovery info, rules, forwarding, and app access, you have re-established control. If any of those remain uncertain, assume the attacker still has a route back in and keep tightening until the account behaves predictably again.
When you do not have full administrative visibility, be explicit about what you cannot verify and ask for help to close those gaps. A clean recovery is one where mailbox behavior and identity controls both make sense to you again, not one where you simply stopped seeing alerts.