Share via

Outlook Business Account has been hacked

Michael Carvey 0 Reputation points
2026-06-02T15:28:02.2366667+00:00

Hello,

My business outlook account was hacked and sent hundreds of emails to my contacts. Our IT administrator received an email to say that the account has been blocked. So I am unable to send or receive emails.

On the IT admins defender account there is no alert to say it has been blocked and the sign in is active. They have reset my password and blocked my sign in and unblocked it again and no luck whatsoever. Any help appreciated to get this sorted please. Thanks

Outlook | MacOS | New Outlook for Mac | For business
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lia V 6,540 Reputation points Microsoft External Staff Moderator
    2026-06-02T19:00:37.16+00:00

    Hi @Michael Carvey,

    I hope you are doing well and I’m sorry to hear about the issue you’ve encountered with your Outlook account.

    In such cases, attackers can gain unauthorized access and use the account to send a large volume of emails, which then triggers Microsoft’s automated protection systems. As a result, the account may be temporarily restricted from sending or receiving emails to prevent further misuse.

    While your IT administrator has already taken an important step by resetting the password, additional actions from your admin are typically required to fully secure the account and restore normal email functionality:

    1/ Secure the account and prevent further unauthorized access

    • Please avoid sharing the new password through email, as access to the mailbox may still be under review.
    • It is recommended to use a strong password that includes a mix of uppercase and lowercase letters, numbers, and special characters.
    • Even if password history allows, consider choosing a completely new password that has not been used previously.
    • Updating the password regularly can help reduce the risk of unauthorized access over time.
    • If app passwords are in use, updating or recreating them can help ensure all access points are properly secured.

    2/ Follow Microsoft guidance for compromised accounts

    Your IT administrator may follow the steps provided in the article below, which outlines recommended actions to investigate and remediate compromised account scenarios:

    Responding to a Compromised Email Account - Microsoft Defender for Office 365 | Microsoft Learn

    3/ Review account restrictions in Microsoft 365

    Due to the high volume of outbound emails, your account may have been temporarily restricted as part of Microsoft 365’s anti-spam protection. Your IT administrator can review this in the Microsoft Defender portal under Restricted entities and remove the restriction if the account has already been secured.

    For reference: Remove blocked users from the Restricted entities page - Microsoft Defender for Office 365 | Micros…

    4/ Contact Microsoft Support

    In the meantime, to help move the process along more quickly, your IT administrator may wish to create a support request with Microsoft Support. This allows the support team to run additional diagnostics from their side and assist with identifying and clearing any remaining restrictions.

    For guidance on how to request support in the admin center, please share the following resource with your admin: Get support - Microsoft 365 admin. 

    In this situation, our role as moderators is to provide guidance and recommended next steps based on best practices for account security and recovery. While we don’t have direct access to your tenant or the administrative tools required to make changes or lift restrictions on your account, we appreciate your understanding. We hope the steps shared will assist your IT administrator in identifying the root cause and restoring your account, and we remain available to support with any further guidance within our scope.

    I hope this information is useful. Thank you for taking the time to raise this question. If you need any further clarification or assistance, please feel free to leave a comment under this post.

    Thank you for your understanding and contributions to the forum.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.

    Note: Please follow the steps in this documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-02T15:28:34.1533333+00:00

    Follow these steps in order, working with the IT administrator, to restore the business mailbox and sending capability.

    1. Secure the account
    • Ensure the password has been reset again (after all other cleanup steps if possible) and that multifactor authentication (MFA) is enabled for the user.
    • From Microsoft Entra ID (Azure AD), the admin should review sign-in logs for this user (IP, locations, times, success/fail) to confirm no ongoing suspicious sign-ins, as described under Microsoft Entra sign-in logs and risk reports.
    1. Investigate and clean up the mailbox Because the account was used to send spam, assume it is compromised and perform a full investigation:
    1. Check for suspicious inbox rules and forwarding
    • In Outlook on the web or via Exchange Online PowerShell, inspect inbox rules:
      • Use Get-InboxRule -Mailbox <user> (similar to the example shown) to list all rules, including hidden ones.
      • Remove any rules that forward mail externally, move messages to unusual folders (Notes, Junk Email, RSS Subscriptions), or look unfamiliar.
    • In Outlook on the web, also check:
      • Settings → Mail → Rules for any malicious rules.
      • Settings → Mail → Forwarding and remove any external forwarding that should not be there.
    1. Review mailbox activity
    • Check Sent Items and Deleted Items for spam or phishing messages that were sent during the compromise window.
    • Use Message Trace in the Microsoft Defender portal to review messages sent from this account and confirm when the spam activity stopped.
    1. Review other account changes
    • In Microsoft Entra and the Defender portal, review audit logs for:
      • Changes to the user’s account.
      • Any newly added app permissions, connectors, or suspicious configuration changes.
    1. Confirm and remove any sending block If the account sent a large volume of spam, Microsoft 365 likely blocked the mailbox from sending mail even if the sign-in looks active.
    • In the Microsoft Defender portal, go to the Restricted entities page.
    • If this user appears there, follow the documented process to remove the user from the Restricted entities list (see “Remove blocked users from the Restricted entities page”).
    • After removal, test sending a message from the user’s mailbox again.
    1. Re-enable the account safely After investigation and cleanup:
    1. If the account was disabled during investigation:
    • Re-enable the account in Microsoft Entra ID.
    • Reset the password again (to ensure any attacker sessions are invalidated) and confirm MFA is enforced.
    1. Verify functionality
    • From Outlook on the web, send a test email to an internal and an external recipient.
    • Confirm messages are delivered and that no new spam is being sent.
    1. Ongoing monitoring
    • Continue to monitor Microsoft Entra sign-in logs and Defender audit logs for this user for a period after recovery.
    • Educate the user on phishing and suspicious emails to reduce the chance of future compromise.

    If the mailbox still cannot send after being removed from Restricted entities, repeat message trace and audit log checks to ensure there is no ongoing spam or misconfiguration, and then re-open a support case with Microsoft 365 support with those findings.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.