Hi Everyone, myself Prem, In this blog we will see how to fix Not able to Receive Emails after Account was Hacked issue in Office 365.
This blog will contain my personal experience in terms of what I have observed and steps used in dealing with the cases of not receiving emails after the account was hacked.
The common pattern what I have observed is, when a account gets hacked, the hacker sends out bulk emails to all the contacts of the hacked account.
These bulk emails mostly target the Sales, Accounting and Billing team in order to ask them to transfer money.
When any targeted recipient response to the email, hacker sets a inbox rule to move the email to a different folder of the hacked mailbox, so that the owner of the mailbox does not see the ongoing conversation.
Steps to Fix Not able to Receive Emails after Account was Hacked Issue:
We will check the rules created on the hacked mailbox, Go to Office.com and sign in with the hacked account:
If you are an admin on a tenant and would like to check the same for an end user, you can do so by accessing the end user mailbox using Delegation.
Click on Outlook icon on the left:
Once opened, it should look like this page:
Click on the Settings Icon on the top right:
Click on Email tab and then click on Rules to see all the rules created on your account:
If you see any rule with a strange name, check the rule condition by opening it:
Most of the time, hackers create rule with the name “.”
You can click edit for any rule which you don’t remember creating and check the conditions of it:
One of the example condition what hacker usually do:
The above example rule, has a name “.” and is applied to all the email in which my account is in To or CC field.
The action of that rule is, to mark the emails as read so that the I would not see the emails, and then other action is to move the emails to a folder named Archive.
Note: In your case the condition can be different and the destination folder can also be different.
Hacker can also specifically target emails with certain keywords in its Subject or Body, like: payment, bank, amazon, etc.
So any email with any of those keywords will be marked as read and moved to a different folder.
Follow the process and remove all the rules which is not created by you.
To protect your hacked account, you should reset the password and enable MFA.
If your hacked account is an admin account then it is suggested to reset password of all the account in your organization as precaution.
Do let me know if you have any question or if you want to share the rule condition hacker set for your account, you can do the same in the comment section below.