Outlook and Microsoft accounts are frequent targets for account takeovers because a single login can unlock email, OneDrive files, password resets for other services, and even paid subscriptions. This guide explains the most common takeover paths and provides a step-by-step hardening checklist you can complete in under an hour.

How Outlook accounts typically get stolen

  • Phishing pages that mimic Microsoft sign-in and capture your password (and sometimes MFA codes).
  • Password reuse from unrelated breaches: attackers try the same email/password pair on Microsoft.
  • Session hijacking via malicious links, browser malware, or stolen cookies that bypass a password prompt.
  • Weak recovery settings (old phone numbers/emails) that attackers can exploit to reset access.
  • Consent/"OAuth" scams that trick you into granting a malicious app access to your mailbox.

Step 1: Confirm your account security basics

  1. Go to your Microsoft account security page and review recent activity. Look for sign-ins from unfamiliar locations/devices.
  2. Change your password to a long, unique passphrase (16+ characters is a good target). Avoid patterns and reuse.
  3. Enable sign-in alerts so you’re notified when suspicious activity occurs.

Step 2: Turn on the strongest MFA you can

Multi-factor authentication (MFA) is the single biggest upgrade you can make, but not all MFA methods are equal.

  • Best: Microsoft Authenticator push approvals with number matching, or passkeys if available.
  • Good: Authenticator app one-time codes (TOTP).
  • Last resort: SMS codes (better than nothing, but vulnerable to SIM swap and interception).

Action: Add at least two MFA methods (e.g., Authenticator + a backup code method) so you don’t get locked out if you lose a phone.

Step 3: Harden recovery options (this prevents “reset” takeovers)

  1. Update recovery email(s) to addresses you control and actively monitor.
  2. Update recovery phone number and remove old numbers.
  3. Generate and store recovery codes in a password manager or offline secure location.
  4. Review trusted devices and remove any you no longer use.

Step 4: Remove suspicious access (apps, forwarding, rules)

Many takeovers persist because attackers add “silent” controls that keep data flowing even after you change your password.

  • Check mailbox forwarding and disable any forwarding you didn’t set up.
  • Inspect inbox rules for rules that auto-delete security emails or move messages to obscure folders.
  • Review connected apps and revoke anything unfamiliar (especially apps requesting mail read/send permissions).

Step 5: Secure the device you sign in from

If your computer or phone is compromised, strong credentials may not help.

  • Update your OS and browser to the latest versions.
  • Run a reputable malware scan and remove unwanted browser extensions.
  • Use a password manager to avoid typing passwords into lookalike sites (autofill is a phishing defense).

Step 6: Upgrade to passwordless (optional, but recommended)

Passwordless sign-in reduces the risk of credential theft and reuse. If your Microsoft account supports it, consider:

  • Passkeys (device-bound, phishing-resistant in many flows).
  • Authenticator passwordless sign-in instead of entering a password.

What to do if you think you’ve already been hacked

  1. Change your password immediately from a known-clean device.
  2. Revoke sessions (sign out everywhere) to kick attackers off active logins.
  3. Enable/replace MFA (remove unknown authenticators or phone numbers).
  4. Remove forwarding, rules, and connected apps as described above.
  5. Check other accounts that use the same email/password and reset them (banking, social, shopping).
  6. Notify contacts if spam/phishing was sent from your mailbox.

A quick 10-minute checklist (printable)

  • Unique new password set
  • MFA enabled (Authenticator/passkey preferred)
  • Recovery email and phone updated; old ones removed
  • Sign-in alerts on
  • Forwarding off; suspicious inbox rules deleted
  • Unknown connected apps revoked
  • OS/browser updated; risky extensions removed

Once you’ve completed these steps, your Outlook account becomes significantly harder to take over—and much easier to recover if something does go wrong.