| March 2, 2026
1) Check Your Sign-In Activity (This is the smoking gun)
  • Go to: myaccount.microsoft.com
  • Security → Sign-in activity
  • Look for:
  • Countries you’ve never been to
  • Impossible travel (Florida → Poland → California in 20 minutes)
  • Multiple failed attempts followed by a success
Why this matters. Attackers almost never break computers anymore. They log in legitimately using a stolen password from:
  • phishing
  • reused passwords
  • old breaches
  • If you see a successful login from another country → you are not “maybe hacked.”
  • You are compromised
  2) Check Mailbox Rules (This is why clients say: “Nobody replied to my emails for 3 days.” They did. You just never saw them.
  • Outlook Web → Settings → Mail → Rules
  • Red flags\
  • Rules you didn’t create
  • “Move to RSS or Conversation History”
  • “Move to Archive”
  • “Mark as read”
  • Anything involving invoices, wire, payment, or CEO name
What attackers do
  • They hide incoming warnings so:
  • You never see security alerts
  • You never see client replies
  • You never see Microsoft emails
3) Check Forwarding: Important: Attackers don’t want your account, they want your communications. Invoices, escrow emails, payroll, ACH changes = money.
  • Settings → Mail → Forwarding
  • Look for:
  • Gmail addresses
  • Protonmail
  • Outlook.com addresses you don’t own
4) Check Sent Mail: Attackers impersonate you to your clients and vendors. That’s why YOU get blamed, not them.
  • Messages they didn’t send
  • “Here is updated payment information”
  • SharePoint or OneDrive links
  • Messages at 3am
5) Check Deleted Items: Users never look here. You’ll often find dozens or hundreds of sent messages sitting in Deleted Items.
  • Attackers often:
  • send phishing from your account then immediately delete evidence
6) Check Devices Logged Into the Account: This shows persistent access — meaning they can return even after a password change Security → Devices
  • Look for:
  • Android devices (very common attacker device)
  • Windows PCs not owned
  • Multiple unfamiliar sessions
7) Check Recovery Information: Attackers add recovery methods so they can reset your password after you fix it. This is why many victims get hacked again 24–72 hours later.
  • Security → Advanced security options
  • Look for:
  • unknown phone numbers
  • unfamiliar emails
8) Check Your Contacts: Why? Because attackers export your contacts and immediately launch phishing from your identity.
  • Users will hear:
  • “You sent me a strange Dropbox link.”
  • This is usually the first external symptom of compromise.
9) Change Password: If not, attackers keep an active token and stay logged in.
  • A password change does NOT always log out an attacker.
  • Correct way
  • Use a secure device
  • Change password at Microsoft website
  • Sign out everywhere
  • Then re-add devices

Category: Outlook Support

About the Author ()

Lisa Hendrickson is the owner of Call That Girl. She is an Outlook Expert and Microsoft 365 Consultant.

Comments are closed.

«
»