How to Check if Outlook Was Hacked: Signs, Verification Steps, and Recovery Actions

Written by: Abigail Ivy
Published on:

How to Check if Outlook Was Hacked

If you use Outlook for email, calendar, and Microsoft account access, a compromise can affect far more than messages.

This guide shows how to check if Outlook was hacked, what evidence to look for, and which security actions matter most right away.

Outlook accounts are often targeted through phishing, password reuse, device compromise, and session hijacking.

The warning signs are not always obvious, which is why a structured check is the fastest way to confirm suspicious activity.

Common signs your Outlook account may be hacked

A hacked Outlook account usually shows subtle changes before obvious damage appears.

Look for account behavior that does not match your normal login pattern or message activity.

  • Messages in Sent Items that you do not recognize
  • Deleted emails that were never removed by you
  • New inbox rules, forwarding addresses, or filters you did not create
  • Password reset emails from Microsoft that you did not request
  • Login alerts from unfamiliar devices, browsers, or locations
  • Contact complaints about spam or suspicious emails from your address
  • Changes to recovery email, phone number, or security settings
  • Missing folders, altered signatures, or archived messages you did not move

Some attackers avoid obvious spam and instead quietly monitor mailbox traffic.

That makes verification important even when the account still seems to work normally.

First place to check: Microsoft account sign-in activity

The most direct way to check if Outlook was hacked is to review Microsoft account sign-in activity.

This shows recent logins, locations, devices, IP-related details, and whether Microsoft marked a sign-in as suspicious.

What to look for in sign-in history

  • Logins from countries or cities you did not visit
  • Repeated failed sign-in attempts followed by a successful login
  • Devices you do not own, such as unknown Windows, Android, iPhone, or web sessions
  • Unusual browser types or access times
  • Entries marked as “impossible travel” or “high risk”

If you see one suspicious sign-in, compare it with your own behavior.

Some entries may reflect a VPN, a mobile carrier network, or an approved work device, but unexplained access should be treated as compromise.

Check Outlook rules, forwarding, and mailbox settings

Attackers often create mail rules to hide security alerts or redirect important messages.

In Outlook on the web, check your rules, forwarding options, junk settings, and blocked senders carefully.

Suspicious mailbox changes to inspect

  • Automatic forwarding to an unknown email address
  • Rules that delete, archive, or mark security emails as read
  • Rules that move messages from Microsoft, banks, or contacts into another folder
  • Unrecognized signatures added to outgoing mail
  • Mailbox permissions or delegated access you did not grant

Even one hidden forwarding rule can expose password reset links, one-time codes, and private correspondence.

This is one of the clearest indicators that Outlook has been compromised.

Review sent mail, deleted items, and drafts

Your mailbox history can reveal activity before any account alert appears.

Open Sent Items, Deleted Items, Archive, and Drafts to find messages or changes you do not recognize.

What suspicious mailbox activity looks like

  • Short, random spam messages sent to multiple recipients
  • Replies you never wrote
  • Drafts containing phishing content or links
  • Deleted security messages, especially from Microsoft, banks, or social platforms
  • Emptying of folders at odd hours

If an attacker has access, they may use your account to send phishing emails to your contacts or to erase notices that would reveal the breach.

Check connected devices and app access

Outlook often connects to mail clients, mobile devices, and third-party apps through Microsoft account permissions.

A hacked account may include unauthorized app access even if the password has already been changed.

Inspect app and device access

  • Review signed-in devices on your Microsoft account
  • Remove unfamiliar phones, tablets, or computers
  • Check OAuth app permissions for unknown productivity or email tools
  • Look for mail clients using old credentials through IMAP or POP

Third-party app access matters because a malicious app can continue reading mail after a password change unless access is revoked.

This is especially important for users who connect Outlook to smartphones, Apple Mail, Thunderbird, or enterprise tools.

Verify security alerts and recovery settings

Security alerts are useful only if they are legitimate and still controlled by you.

Review whether Microsoft security notifications were forwarded, ignored, or altered.

Security settings that should be checked immediately

  • Recovery email address
  • Recovery phone number
  • Two-step verification status
  • Authenticator app enrollment
  • Backup codes and trusted devices

If an attacker changed any recovery method, they may be trying to lock you out permanently.

That is a strong indicator that the account was hacked rather than just exposed to a phishing attempt.

Run a broader check on your Microsoft account

Outlook is part of the wider Microsoft account ecosystem, so a breach can extend into OneDrive, Teams, Xbox, and other services.

Check whether any linked data or services show unusual activity.

  • OneDrive file sharing links you did not create
  • Calendar events added without your approval
  • Contacts changed or exported
  • Microsoft 365 licensing changes
  • Connected services using your account token

If your Microsoft account is compromised, the attacker may already have access to more than email.

That is why a mailbox-only check is not enough.

What to do immediately if Outlook appears hacked

If the signs point to compromise, act in this order to reduce ongoing access.

Speed matters because attackers often use session cookies and forwarding rules to stay inside the account.

  1. Change your Microsoft account password from a trusted device.
  2. Sign out of all sessions and revoke unfamiliar devices.
  3. Turn on or reset two-step verification.
  4. Remove suspicious forwarding rules, inbox rules, and app permissions.
  5. Check recovery email and phone details for unauthorized changes.
  6. Scan your device for malware, browser extensions, or credential-stealing software.
  7. Warn contacts if any emails were sent from your account.

If you reuse passwords anywhere else, change those credentials too.

Attackers commonly test stolen passwords across email, banking, social media, and cloud storage.

How to tell phishing from a real compromise

A phishing email may try to trick you into revealing your Outlook password, but the account itself may still be intact.

A real compromise usually shows unauthorized access, changed settings, or messages sent without your action.

Phishing often looks like this

  • A fake Microsoft login page
  • Urgent requests to verify your account
  • Messages with links to reset a password
  • Attachment-based malware or credential theft

Compromise often looks like this

  • Unfamiliar sign-ins in Microsoft activity logs
  • Mailbox rules created by someone else
  • Emails sent from your account without your knowledge
  • Recovery settings changed

Both scenarios require action, but verified unauthorized logins and mailbox changes are stronger evidence that Outlook was hacked.

When to escalate to Microsoft support

Contact Microsoft support if you cannot regain access, if recovery information was changed, or if the attacker keeps re-entering the account after a password reset.

This is especially important when two-step verification is disabled or bypassed.

Have the following details ready: affected email address, approximate time of suspicious activity, screenshots of sign-in history, and any changes to forwarding or recovery settings.

Clear evidence makes support triage faster.

Best practices to prevent future Outlook account compromise

Once the account is secure, a few habits significantly reduce future risk.

Outlook security depends as much on behavior as on technology.

  • Use a unique password stored in a reputable password manager
  • Keep two-step verification enabled
  • Review sign-in activity regularly
  • Avoid logging in from shared or public devices
  • Watch for phishing links in urgent-looking emails
  • Keep browsers, operating systems, and antivirus tools updated
  • Audit forwarding rules and connected apps every few months

These checks are especially valuable for business users, remote workers, and anyone who uses Outlook as a recovery email for other important accounts.