Microsoft Account Hacked? Scan Malware Before Password Reset

Stephanie Adlam
Stephanie Adlam
12 Min Read
Microsoft account hijack recovery illustration with stolen browser session cookies.
Microsoft account hijack recovery illustration showing stolen browser session cookies and account lockout.

If your Microsoft account was hacked after malware, scan or clean the device before resetting the password on it. Microsoft tells hacked-account users to clear viruses or malware before changing the password [1]; in practice, isolate or clean the suspect PC, then change the Microsoft password from a clean phone or computer, use Sign out everywhere, review Recent activity, and remove attacker-controlled recovery methods, Outlook rules, app passwords, and connected apps. If an Outlook draft says “I have hacked you” and keeps coming back, treat the ransom text as a sextortion scam but treat the mailbox behavior as a sign that account settings still need review. A cookie stealer or token stealer can abuse an active browser session, so password reset alone may not end every session immediately. For broader symptoms and account-recovery order, see our password stealer malware guide.

If the compromise started after a recruiter message, custom meeting app, or coding-test download, first follow a focused fake job interview malware cleanup sequence before trusting the device for Microsoft account recovery.

Scan-before-password recovery order

  1. Disconnect or stop using the suspect PC for email, banking, password resets, and Microsoft account recovery.
  2. Run full malware scans and remove suspicious scripts, browser extensions, startup entries, and scheduled tasks.
  3. Change the Microsoft password from a clean device only after the infected device is contained.
  4. Use Sign out everywhere from Microsoft account security settings, then expect it to take up to 24 hours for most sessions.
  5. Review Recent activity, security info, aliases, recovery email/phone, app passwords, connected apps, and Outlook forwarding/rules.
  6. Watch linked services such as Outlook, OneDrive, Xbox, Windows sign-in, Skype, and Microsoft Store purchases.
Problem Microsoft account hacked after malware, a suspicious script, or stolen browser cookies
Main risk Account takeover through password theft, recovery-info changes, or stolen session cookies
Best first move Scan or clean the suspect device before changing the Microsoft password
Do not rely on Password change alone, especially when the attacker may have active sessions

Why Malware Can Lead to a Microsoft Account Takeover

Infostealers do not need to look like a classic virus window. A fake game launcher, copied PowerShell command, cracked app, malicious Python script, browser extension, or fake support tool can search the browser profile for saved passwords, autofill data, cookies, and active session tokens. MITRE tracks this as Steal Web Session Cookie, a credential-access technique where attackers use stolen cookies to access web services as an already authenticated user [4].

That is why the recovery order matters. Microsoft also tells users recovering a hacked account to clear the PC of viruses or malware before changing the password [1]. If you reset the password on a still-infected computer, the new password or fresh session may be stolen again.

First 30 Minutes: Contain the Device

  • Stop using the infected Windows profile. Do not open Outlook, Edge, Chrome, password managers, banking, crypto wallets, or recovery forms there.
  • Save only what you need for investigation. Keep the suspicious file name, download source, timestamp, and Defender or browser warning, but do not run the file again.
  • Disconnect from the network if malware is still active. If you need internet for scanners, use it only for cleanup.
  • Use a clean device for account work. A phone with updated OS, a different PC, or a freshly installed Windows session is safer for password changes.

If the incident started with a fake game, mod, or launcher, compare the broader cleanup order in our infostealer after game or mod guide. If Microsoft only shows a lock or recovery prompt, our Microsoft account locked recovery guide explains the official unlock path.

Clean the PC Before Changing More Passwords

  1. Run Microsoft Defender or Windows Security with a full scan.
  2. Use Gridinsoft Anti-Malware as a second-opinion cleanup scan, especially when the suspicious script came from a fake download, Discord message, cracked software site, or unknown GitHub clone.
  3. Check browser extensions in Edge, Chrome, and Firefox. Remove anything installed near the incident time or from an unknown publisher.
  4. Review Startup Apps, Task Scheduler, Services, and recently installed apps for entries that match the suspicious file name or download time.
  5. Delete the original archive, installer, script folder, and extracted files. Empty the Downloads folder only after keeping names and timestamps you need for support.
  6. Restart, scan again, and only then use this PC for normal account sign-ins.

Device cleanup check

Check the device before signing back in

After changing passwords from a clean device, scan the affected PC for leftover malware, suspicious startup entries, browser add-ons, scheduled tasks, and hidden files. GridinSoft Anti-Malware can be used as an extra cleanup check before you return to normal sign-ins.

Download Anti-Malware
Check a file or URL online

Recover and Secure the Microsoft Account

If the suspicious activity started with a Microsoft Defender Platform sign-in screen instead of a normal password prompt, first verify the app ID, tenant, and sign-in logs. The Microsoft Defender Platform cab96880 guide explains when that prompt is expected and when it may be part of phishing or malware cleanup.

From a clean device, go directly to account.microsoft.com or Microsoft Support. Do not use recovery links from random emails, Discord messages, search ads, or forum replies.

  1. Change or reset the password. Use a password that has never been used on another site.
  2. Use Sign out everywhere. Microsoft says this signs you out of browsers, apps, and most places your account is used, but it can take up to 24 hours and does not include Xbox consoles [2].
  3. Review Recent activity. Microsoft says the Recent activity page shows when and where the account was used within the last 30 days and can show the access method [3].
  4. Mark unknown activity as not yours. If Microsoft shows an Unusual activity section, respond there instead of guessing from email alone.
  5. Update security info. Remove unfamiliar recovery emails, phone numbers, passkeys, authenticator methods, or alternate sign-in aliases.
  6. Enable stronger MFA. Prefer Microsoft Authenticator or passkeys over SMS when available.

If the alert came through an email from [email protected], do not click the email button first. Open the account manually and compare the message with the real Recent activity entry. Our Microsoft unusual sign-in email guide covers that sender-specific phishing check.

Outlook Draft Says “I Have Hacked You” Keeps Coming Back

A recurring Outlook or Hotmail draft that says “I have hacked you,” demands Bitcoin, or claims to have private photos is usually a sextortion template. Do not pay, reply, or open links. The unusual part is the location: if the message appears inside Drafts, Inbox, or pinned mail instead of arriving as a normal email, handle it as a mailbox-compromise symptom until Outlook Web and Microsoft account settings are clean.

  1. Use Outlook on the web from a clean device. Delete the draft, then check Drafts, Sent, Deleted Items, Junk, Archive, RSS subscriptions, pinned messages, and flagged messages for copies or automated movement.
  2. Review Outlook rules, forwarding, Sweep, and automatic replies. Remove anything that deletes, archives, forwards, pins, flags, or recreates suspicious mail. If a rule returns immediately, stop and contact Microsoft Support because the remaining object may be server-side.
  3. Check Microsoft account security next. Review Recent activity, use Sign out everywhere, remove unknown recovery methods, delete app passwords you did not create, and revoke connected apps that you do not recognize.
  4. Clean the device before logging back in normally. If malware, Python scripts, remote-access tools, browser extensions, or token stealers were involved, scan from a clean session and rotate reused passwords only after the device is clean.
  5. Escalate if the draft reappears after 24 hours. Microsoft Support may need to inspect hidden mailbox objects or server-side settings. Keep screenshots and timestamps, but do not forward the blackmail message to other accounts.

For the blackmail wording itself, see our sextortion scam explainer. The recovery priority here is different: remove the account and mailbox persistence that made the draft appear in Outlook.

Account Settings Attackers Commonly Change

Where to check What to look for Why it matters
Security info Unknown phone, email, passkey, authenticator, or backup code changes Attackers use recovery methods to regain access after you reset the password.
Aliases New alias, removed alias, or changed primary sign-in address Alias changes can confuse recovery and hide the original sign-in path.
App passwords Old app passwords or passwords you did not create Legacy app passwords can bypass normal MFA flows in some situations.
Connected apps Unknown apps with account access OAuth-style access can persist even after a password change.
Outlook rules Forwarding, delete, archive, or auto-reply rules you did not create Attackers hide reset emails or keep receiving copies of messages.
Billing and subscriptions New purchases, payment changes, Xbox/Microsoft Store activity Account takeover can turn into fraud or unwanted charges.

What About Stolen Cookies and Session Tokens?

A stolen cookie is not the same thing as a saved password. It can represent a logged-in browser session after authentication has already happened. That is why users sometimes see account abuse even after MFA was enabled. Sign-out and security-setting review are the parts that target sessions and recovery paths; password change targets the password.

For home users, the practical response is: remove malware, sign out everywhere, remove trusted devices and unknown access methods, update browsers, and avoid saving sensitive sessions on the same browser profile used to test unknown files. For work or school Microsoft accounts, contact the organization’s IT/admin team because Entra ID, Conditional Access, and admin-side token revocation are outside personal Microsoft account controls.

If You Cannot Get Back In

  • Use Microsoft’s hacked account or sign-in helper from a clean device.
  • Use the recovery form with old passwords, account creation details, Xbox/Skype/Outlook details, and a familiar location/device.
  • Do not pay “recovery agents” on Reddit, Telegram, Discord, or YouTube. Those are commonly follow-up scams.
  • If payment methods were abused, contact the card issuer or bank and review Microsoft billing history.
  • If the infected PC still behaves strangely after cleanup, consider a clean Windows reinstall. Our clean Windows install USB after malware guide explains how to avoid copying malware back.

How to Prevent a Repeat

  • Keep browsers, password managers, and Windows updated.
  • Use a separate standard Windows account for testing downloads or scripts.
  • Do not run Python, PowerShell, BAT, or JavaScript commands copied from social posts unless you understand what they do.
  • Use unique passwords and a password manager, but protect the password manager with strong MFA.
  • Review Microsoft Recent activity after any malware incident, not only after email alerts.
  • Scan suspicious files before running them with Gridinsoft tools or another trusted security workflow.

FAQ

Can malware hack a Microsoft account without my password?

It can, depending on what was stolen. Some malware steals saved passwords, while cookie or token theft can let an attacker reuse an already-authenticated browser session. You still need to change the password, but you should also sign out everywhere and review account settings.

Should I change the Microsoft password before scanning?

Change it from a clean device if you suspect active malware. Do not reset important passwords on the same infected Windows profile before cleanup, because the new password or fresh session may be stolen again.

Does Sign out everywhere remove the attacker immediately?

Not always immediately. Microsoft says sign-out can take up to 24 hours and does not include Xbox consoles. Treat it as one required step, not the whole recovery.

Why does Recent activity not show every action?

Microsoft says the Recent activity page usually shows significant events that can affect account security, not every repeated action from the same device and location. Still check it for successful sign-ins, security challenges, and profile changes you did not make.

Is an Outlook draft saying “I have hacked you” proof the attacker has photos?

No. That wording is usually a generic sextortion script, especially when it demands cryptocurrency and gives no real evidence. But a draft or pinned Outlook message that keeps reappearing is still a security signal: check rules, forwarding, sessions, app passwords, connected apps, and local malware before trusting the mailbox again.

Is this the same as a work or school Microsoft account?

No. Personal Microsoft accounts and work/school accounts use different admin controls. For a work or school account, contact IT immediately so they can revoke sessions, inspect sign-ins, and apply organization-side controls.

If the compromise started with a game mod or JAR client, also review the WeedHack Minecraft malware warning because the same flow can expose Microsoft-linked Minecraft sessions.

References

  1. Microsoft Support. “How to recover a hacked or compromised Microsoft account.” Microsoft, accessed June 1, 2026. https://support.microsoft.com/en-us/accounts-billing/manage/how-to-recover-a-hacked-or-compromised-microsoft-account
  2. Microsoft Support. “How to sign out of your Microsoft account everywhere.” Microsoft, accessed June 1, 2026. https://support.microsoft.com/en-us/accounts-billing/manage/how-to-sign-out-of-your-microsoft-account-everywhere
  3. Microsoft Support. “What is the Recent activity page?” Microsoft, accessed June 1, 2026. https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357
  4. MITRE ATT&CK. “Steal Web Session Cookie (T1539).” MITRE, accessed June 1, 2026. https://attack.mitre.org/techniques/T1539/
  5. Microsoft Learn Q&A. “Outlook.com hacked – sextortion draft keeps reappearing.” Microsoft, January 21, 2026, accessed June 1, 2026. https://learn.microsoft.com/en-gb/answers/questions/5731141/outlook-com-hacked-sextortion-draft-keeps-reappear
Millions of Windows 7 users refuse to upgrade to Windows 10
Malware Hides in Images from the James Webb Telescope
ClickFix Gets Creative: Abusing a 1971 Protocol to Deliver Malware
Fake Copyright Emails Spread Lumma, Rhadamantys Stealers
Heur.BZC.PZQ.Boxter: Bitdefender Alert or False Positive?
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Fake software download trap distributing Deno RAT malware. Deno RAT Fake Downloads
Next Article Megalodon GitHub Actions malware shown as a CI backdoor entering a software pipeline. Megalodon GitHub Actions Malware
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?