Skip to main content
Everyday Computing
Blog

Email Account Hacked? Sydney Recovery Checklist for Outlook, Gmail and Microsoft 365

A practical recovery checklist for hacked Outlook, Gmail, and Microsoft 365 email accounts, including passwords, MFA, forwarding rules, devices, business fraud risk, and when to get help.

Published
Published | Updated
Reading time
7 min read
Author
Written by Everyday Computing technical support team | Reviewed by Everyday Computing service operations

Sydney-based support technicians who work across remote support, onsite visits, home networks, computer repairs, Microsoft 365, backups, and small business IT.

Reviewed for service accuracy, pricing consistency, support triage, and alignment with Everyday Computing's current Sydney service model.

Sydney home office user reviewing email account security after suspicious sign-in alerts

Key takeaways

  • Treat a hacked email account as an identity incident, not just a password problem, because email can reset banking, cloud, social, and business accounts.
  • Recover from a clean device, change the password, remove unknown MFA methods, check forwarding rules, review devices and apps, then warn affected contacts where needed.
  • Small businesses should check Microsoft 365 sign-ins, mailbox rules, admin accounts, invoices, payment changes, and audit evidence before closing the incident.

If your email account has been hacked, move carefully. Email is often the recovery key for everything else: banking alerts, myGov notices, Microsoft 365 files, Google Drive, invoices, social media, shopping accounts, password resets, and client messages.

For Sydney homes and small businesses, the goal is not only to get back into Outlook, Gmail, or Microsoft 365. You also need to remove the attacker's ongoing access, check whether mail was forwarded or deleted, protect other accounts, and understand whether anyone else was affected.

SituationFirst priorityExtra check
You can still sign inUse a clean device, change the password, and review security settingsRemove unknown devices, apps, forwarding, filters, and MFA methods
You cannot sign inStart the provider's official recovery flowUse a separate working email and avoid recovery links from random search ads
Friends received strange emails from youSecure the account before replying from itWarn contacts not to open links or pay invoices
Business mailbox sent invoice changesTreat it as possible business email compromiseCheck sign-ins, mailbox rules, payment changes, and affected customers
Password was reused elsewhereChange those accounts from a clean deviceStart with banking, email, cloud storage, social, and password managers
A scammer remotely accessed the computerDisconnect and assess the device before trusting itRemove remote-access tools and scan for malware

Step 1: Work from a clean device

If you suspect the computer or phone is infected, do not use it to reset your email password. Use a trusted device that is fully updated, or ask a trusted support person to help. Microsoft advises checking for malware before changing the password on a compromised Microsoft account, because a compromised device can capture the new password as soon as you type it.

This matters after fake support calls, browser pop-ups, downloaded "security" tools, or unexpected remote-access sessions. Disconnect the affected device from the internet if someone may still have access.

Step 2: Recover access through the official provider

Use the official account recovery page for your provider:

  • Microsoft account or Outlook.com: recover the account through Microsoft's recovery process.
  • Google or Gmail: use Google's account recovery and compromised account steps.
  • Microsoft 365 business email: use an administrator account to reset the user's password, revoke sessions where available, and check sign-in and mailbox activity.

Avoid sponsored search results, social media "recovery specialists", and anyone asking for payment to unlock an account outside the provider's process. Account recovery can be frustrating, but shortcuts are a common second scam.

Step 3: Change the password and remove reused passwords

Create a new password that is unique to that account. If the old password was reused anywhere else, assume those accounts are at risk too. Change the most important accounts first:

  • Banking and payment accounts
  • myGov, Medicare, tax, and identity services
  • Apple ID, Microsoft account, Google Account, and cloud storage
  • Social media and messaging accounts
  • Password manager master account
  • Business systems such as accounting, CRM, website admin, and domain registrar

Do this from a clean device. If you use a password manager, update the saved password and check whether the old password appears on other logins.

Step 4: Fix multi-factor authentication properly

Turn on multi-factor authentication where available, but also check what is already enrolled. The Australian Cyber Security Centre warns that a cybercriminal may add their own MFA method to keep access. Remove phone numbers, authenticator apps, passkeys, backup codes, or recovery email addresses you do not recognise.

For a small business, make sure every administrator account has strong MFA and recovery ownership is documented. Do not rely on one person's mobile phone as the only way to recover the whole Microsoft 365 tenant.

Step 5: Check forwarding rules, filters, and mailbox settings

Attackers often hide in mailbox settings. They may forward every email, delete security alerts, move bank messages to an archive, or create rules that hide replies from customers.

Check:

  • Automatic forwarding to external addresses
  • Inbox rules that move, delete, hide, or redirect mail
  • Blocked senders and allowed senders
  • Recovery email and phone details
  • Connected apps and OAuth permissions
  • Recent devices and active sessions
  • Delegates, shared mailbox access, and aliases
  • Deleted items, archive, junk, and unusual folders

Microsoft's business guidance specifically calls out mailbox compromise and business email compromise patterns. Its Defender documentation also treats suspicious email forwarding as a security signal because forwarding can be manual or automatic and may happen through inbox rules, mail flow rules, or other settings.

Step 6: Check what the attacker may have seen or sent

Look at recent sent items, deleted items, search history, mailbox rules, and sign-in activity. Search for terms such as "invoice", "payment", "bank", "password", "code", "ATO", "myGov", "Dropbox", "OneDrive", "SharePoint", and customer names.

For home users, the practical question is whether the attacker could reset other accounts or view sensitive documents. For business users, the question is wider: could they have read quotes, changed payment instructions, sent malware links, accessed shared files, or impersonated staff?

If customers, suppliers, staff, or family members received suspicious messages, warn them using a separate trusted channel where possible. Keep the warning simple: your email was compromised, ignore recent unexpected links or payment changes, and verify any money request by phone using a known number.

Step 7: Review devices and remote access tools

Email compromise and device compromise often overlap. Check phones, tablets, Outlook profiles, browser sessions, and old computers that still sync mail.

If a scammer connected remotely, look for tools such as AnyDesk, TeamViewer, Quick Assist, Chrome Remote Desktop, or other remote-control apps. Some are legitimate when you initiate support, but unknown installations after a scam call should be treated carefully.

Update the operating system and browser, remove unwanted extensions, and run trusted security scans. Do not install random cleaner tools from ads.

Step 8: Small business incident checklist

For a Sydney small business, one compromised mailbox can become an invoice fraud, privacy, payroll, or client-trust issue. Work through this checklist before declaring the incident closed:

  1. Disable risky sessions and reset the affected user's password.
  2. Confirm MFA methods, recovery details, and admin roles.
  3. Check sign-in logs for unusual locations, times, and devices.
  4. Review forwarding, inbox rules, delegates, shared mailboxes, and transport rules.
  5. Search sent mail for invoice changes, payment requests, file links, and malware links.
  6. Check whether OneDrive, SharePoint, Teams, or Google Drive files were accessed or shared.
  7. Confirm no accounting, payroll, domain, website, or password manager accounts were changed.
  8. Notify affected people if suspicious emails or payment instructions were sent.
  9. Preserve screenshots, message headers, sign-in logs, and times before deleting evidence.
  10. Tighten security defaults, MFA, admin access, and mailbox auditing after recovery.

If money was transferred, contact the bank immediately. If business email compromise or identity misuse may be involved, follow ACSC reporting and recovery guidance.

Sydney examples

A home user in Parramatta notices Gmail recovery alerts and friends receiving strange gift-card messages. The right sequence is to recover Gmail through Google, remove unknown devices and recovery details, turn on 2-Step Verification, change reused passwords, and warn contacts.

A trades business in Western Sydney finds that a supplier received a fake bank-detail change from the owner's Microsoft 365 mailbox. That needs more than a password reset. Check mailbox rules, sign-ins, sent items, accounting access, MFA methods, and whether any customer or supplier payments need urgent verification.

A retired customer on the North Shore gets an Outlook pop-up saying to call support, then lets a caller connect remotely. In that case, secure the computer and email together: disconnect the remote session, scan the device, change passwords from another device, and check whether banking or myGov details were exposed.

Prevention after recovery

Once the account is safe, make the setup easier to defend:

  • Use a password manager and unique passwords.
  • Turn on MFA for email, banking, cloud storage, social media, and admin accounts.
  • Keep recovery phone and email details current.
  • Remove old devices and apps that no longer need access.
  • Use separate administrator accounts for Microsoft 365 business tenants.
  • Train staff to verify payment changes by phone using a known number.
  • Keep backups for important files outside the mailbox.
  • Review mailbox rules after staff departures or suspected phishing.

Good security is not about never clicking the wrong thing. It is about making one mistake less damaging.

When to book email security help

Book support if you cannot recover the account, if MFA or recovery details were changed, if money or client data may be involved, if a scammer accessed your computer, or if a business mailbox sent payment or invoice messages.

Everyday Computing helps Sydney homes with personal email recovery, phishing checks, password resets, device cleanup, and MFA setup. For small businesses, we can help review Microsoft 365 sign-ins, mailbox rules, admin access, security defaults, and practical recovery steps before the incident becomes a repeat problem.

Common questions

What is the first thing to do if my email is hacked?

Use a trusted clean device to recover the account, change the password, and review security settings. Do not reset the password from a computer that may still be infected or remotely controlled.

Why do I need to check forwarding rules?

A hacked mailbox may keep sending copies of messages to an attacker even after the password changes. Check forwarding, inbox rules, filters, delegates, connected apps, and recovery details.

Should I tell people my email was compromised?

Yes, if suspicious messages, links, attachments, or payment requests were sent from your account. Use a trusted channel and tell people not to open unexpected links or act on payment changes without calling a known number.

Can hacked email recovery be done remotely?

Often, yes, especially for account settings, passwords, MFA, and Microsoft 365 checks. Onsite support is better when a device may be infected, a scammer had remote access, or several computers and phones need checking.

Is a Microsoft 365 business mailbox different from personal Outlook or Gmail?

Yes. A business mailbox may involve administrator roles, shared mailboxes, audit logs, Teams, OneDrive, SharePoint, payment workflows, and customer records. Treat it as a business security incident, not just a personal password reset.

Sources and further reading