Outlook

Before You Start

Is it safe to do this now?

Before making changes, consider whether the other person might notice. Security changes to your Microsoft account can trigger email notifications about:

• Password changes
• New sign-in locations or devices
• Two-step verification changes
• Recovery information updates

These notifications go to your account’s email address and any recovery email addresses. If someone has access to these, they may see the alerts.

Important: Your Microsoft account controls access to many services beyond email, including:

• OneDrive (files and photos)
• Microsoft 365 (Word, Excel, PowerPoint)
• Xbox and gaming
• Windows devices linked to your account
• Skype
• Teams (personal)

Securing your Microsoft account secures all of these at once.

What you’ll need

• Access to your Outlook.com email or the Outlook app
• Access to the phone number or email currently linked to your account (for verification)
• A safe device that isn’t being monitored
• Approximately 20-30 minutes of uninterrupted time
• A new phone number or email address if your current recovery options are compromised

Consider doing first

• Checking your phone and computer aren’t being monitored
• Having a new, private email address ready as a backup recovery option
• Clearing your browser history after making changes (or use private/incognito mode)

Quick Contacts

What to say: You don’t have to explain your full situation. You can simply say:

“I need to secure my account because I believe someone else may have access to it.”

Or:

“I need to remove all other devices and sessions from my account for security reasons.”

Microsoft support can help with account recovery and security concerns, though they don’t have a specific domestic abuse support team like some banks do. For sensitive situations, the self-service security tools at account.microsoft.com are often the most private option.

Check Who Has Access

Recent sign-in activity

This is the most important check. Microsoft logs every sign-in attempt to your account.

To review your sign-in history:

1. Go to account.microsoft.com/security
2. Sign in if prompted
3. Click View my sign-in activity (under “Sign-in activity”)
4. Review the list of recent sign-ins

What to look for:

• Sign-ins from locations you don’t recognise
• Sign-ins from devices you don’t own
• Sign-ins at times you weren’t using your account
• Multiple failed sign-in attempts (someone trying to guess your password)
• “Successful sign-in” entries you didn’t make

Each entry shows:

• Date and time
• Location (city/country)
• Device and browser type
• IP address
• Whether it was successful

If you see suspicious activity: Don’t panic. Note down the details, then follow the steps in “Remove Unwanted Access” below.

Email forwarding rules

Someone with access to your account may have set up forwarding to secretly receive copies of your emails.

To check forwarding in Outlook.com:

1. Go to outlook.live.com and sign in
2. Click the Settings gear icon (top right)
3. Click View all Outlook settings at the bottom
4. Go to Mail → Forwarding
5. Check if “Enable forwarding” is turned on
6. If it is, note the forwarding address

If you find unexpected forwarding: Turn it off immediately (see “Remove Unwanted Access”).

Inbox rules

More subtle than forwarding, inbox rules can automatically move, delete, or forward specific emails without you noticing.

To check inbox rules:

1. Go to outlook.live.com
2. Click the Settings gear icon
3. Click View all Outlook settings
4. Go to Mail → Rules
5. Review all rules in the list

Red flags to look for:

• Rules that forward emails to another address
• Rules that delete emails from specific senders
• Rules that mark emails as read automatically
• Rules that move emails to obscure folders
• Rules you don’t remember creating

Connected apps and services

Other apps may have permission to read your emails or access your account.

To check connected apps:

1. Go to account.microsoft.com/privacy
2. Click Apps and services that can access your data
3. Review the list of connected applications

Also check:

1. Go to account.microsoft.com/security
2. Look for Manage app access or Third-party app access

Remove any apps you don’t recognise or no longer use.

Devices linked to your account

To see all devices:

1. Go to account.microsoft.com/devices
2. Review all devices listed
3. These are devices where you’ve signed in with your Microsoft account

Remove Unwanted Access

Sign out everywhere

This immediately ends all active sessions on all devices.

To sign out of all devices:

1. Go to account.microsoft.com/security
2. Look for Sign-in activity
3. Click Sign out everywhere (or find this option in advanced security settings)

Alternative method:

1. Change your password (see below)
2. During the password change, tick the box that says “Make me sign in again on all devices”

This forces anyone using your account to sign in again with the new password.

Remove email forwarding

1. Go to outlook.live.com
2. Click the Settings gear icon
3. Click View all Outlook settings
4. Go to Mail → Forwarding
5. Uncheck “Enable forwarding” or toggle it off
6. Click Save

Delete suspicious inbox rules

1. Go to Settings → View all Outlook settings
2. Go to Mail → Rules
3. Click the bin/delete icon next to any suspicious rules
4. Click Save

Tip: If you’re unsure about a rule, delete it. You can always recreate rules you actually need later.

Revoke app permissions

1. Go to account.microsoft.com/privacy
2. Under Apps and services, click Apps and services that can access your data
3. Click on any app you want to remove
4. Click Remove these permissions or Revoke access

Change your password

This is essential if you suspect someone knows your password.

1. Go to account.microsoft.com/security
2. Click Change password
3. Enter your current password
4. Create a new, strong password:
   • At least 12 characters
   • Mix of letters, numbers, and symbols
   • Not based on personal information (birthdays, names, addresses)
   • Not used on any other account
5. Tick “Make me sign in again on all devices” if offered
6. Click Save

Password tips:

• Use a passphrase: random words strung together (e.g., “correct-horse-battery-staple”)
• Consider using a password manager
• Never reuse passwords across accounts

Remove linked devices

1. Go to account.microsoft.com/devices
2. Click on any device you don’t recognise
3. Click Remove device or Unlink

Lock Down Your Account

Enable two-step verification

Two-step verification (also called 2FA or MFA) means even if someone knows your password, they can’t sign in without a second code.

To set up two-step verification:

1. Go to account.microsoft.com/security
2. Click Advanced security options or Two-step verification
3. Click Turn on under Two-step verification
4. Follow the setup wizard

Verification methods available:

Recommended: Use the Microsoft Authenticator app if possible. It’s free and more secure than SMS.

Important for your safety: If someone else has access to your phone or recovery email, they could intercept verification codes. Consider:

• Using a phone only you have access to
• Setting up a new, private recovery email first
• Using the Authenticator app rather than SMS

Review and update recovery options

Recovery options help you get back into your account if you’re locked out. But they can also be used by someone else if they have access to them.

To manage recovery options:

1. Go to account.microsoft.com/security
2. Click Advanced security options
3. Under “Ways to prove who you are,” review:
   • Recovery phone numbers
   • Recovery email addresses

Check each one:

• Do you still have access to this phone number?
• Do you still have access to this email?
• Could someone else access these?

To add new recovery options:

• Add a phone number only you control
• Add an email address only you can access

To remove compromised options:

• Click Remove next to any phone or email the other person could access

Note: You must have at least one recovery option. Set up a new, safe one before removing compromised options.

Set up a security key (optional)

For maximum security, a physical security key (like a YubiKey) provides strong protection.

1. Go to account.microsoft.com/security
2. Click Advanced security options
3. Under “Ways to sign in,” look for Security key
4. Follow the setup instructions

This requires purchasing a security key (approximately GBP 25-50), but it’s the most secure option available.

Review trusted devices

Microsoft may remember certain devices as “trusted” so they don’t require verification each time.

1. Go to Advanced security options
2. Look for Trusted devices or Remembered devices
3. Remove any devices you don’t trust

Enable passwordless sign-in (optional)

Microsoft now offers passwordless sign-in using the Authenticator app. This can be more secure because there’s no password to steal.

1. Install the Microsoft Authenticator app
2. Go to account.microsoft.com/security
3. Look for Passwordless account or find this in Advanced security options
4. Follow the setup wizard

Outlook Desktop App vs Outlook.com

There are important differences between the Outlook desktop application and Outlook.com (webmail):

Outlook.com (webmail)

• Accessed at outlook.live.com or outlook.com
• Security settings are managed at account.microsoft.com
• All the steps in this guide apply directly

Outlook desktop app (Windows/Mac)

• The desktop app connects to various email accounts
• If connected to your Microsoft account, the same security steps apply
• If connected to a work email (Microsoft 365/Exchange), your organisation controls security
• Check with your IT department for work accounts

If you use the Outlook desktop app:

1. Check which accounts are connected (File → Account Settings)
2. For personal Microsoft accounts, use this guide
3. For work accounts, contact your IT department
4. Consider whether the other person has access to the computer where Outlook is installed

Important: If someone has access to a computer where you’re signed into Outlook, they can read your emails even if your account is secure. Consider:

• Signing out of Outlook on shared computers
• Removing the account from the desktop app
• Changing your password to force a re-sign-in

Get Confidential Support

Microsoft Support

Microsoft doesn’t have a specific domestic abuse support team, but their security team can help with compromised accounts.

Options:

1. Virtual agent: Visit support.microsoft.com, search for “account security,” and use the virtual agent
2. Get help app: On Windows 10/11, search for “Get Help” and describe your security concern
3. Community forums: answers.microsoft.com (be careful not to share personal details publicly)

What to say:

“I need help securing my account. I believe someone else has gained access and I need to remove them and protect my account.”

Self-service security tools

The most private option is often to use Microsoft’s self-service tools:

• Security dashboard: account.microsoft.com/security
• Privacy dashboard: account.microsoft.com/privacy
• Account recovery: account.live.com/acsr

These don’t require speaking to anyone and leave no record of your conversation.

If You’re Locked Out

If you know your password but can’t complete verification

1. Go to account.live.com/acsr
2. Enter your email address
3. Enter a contact email Microsoft can use to reach you (must be different from the locked account)
4. Complete the security check
5. Fill in the form with as much detail as possible about your account
6. Wait for Microsoft’s response (usually within 24 hours)

Tips for the recovery form:

• Provide previous passwords you’ve used
• List email addresses you’ve contacted
• Mention recent email subjects
• Describe your recent account activity

If someone changed your password

1. Go to account.live.com/password/reset
2. Enter your email address
3. Try using your recovery email or phone
4. If you don’t have access to these, use “I don’t have any of these” to start the account recovery process

If your recovery options have been changed

This is more complex. You’ll need to:

1. Go to account.live.com/acsr
2. Fill out the account recovery form in detail
3. Microsoft will review and attempt to verify you’re the rightful owner
4. This can take several days

Evidence that helps:

• Previous passwords
• Subject lines of recent emails you sent
• Names of folders you created
• Payment methods linked to the account
• Previous addresses on file

Starting Fresh

Sometimes it’s safer to create a new email account rather than trying to secure a compromised one. Consider this if:

• You can’t verify who has access
• Too many people have the email address
• The account has been severely compromised
• You want a completely fresh start with no connection to the old account

Creating a new Microsoft account

1. Go to outlook.live.com
2. Click Create free account
3. Choose a new email address (doesn’t need to include your real name)
4. Use a strong, unique password
5. Add recovery options only you control
6. Enable two-step verification immediately

Keeping your new account private

• Don’t use your real name in the email address
• Use a phone number only you have access to
• Use a recovery email only you can access
• Don’t link it to your old account
• Be careful about who you share the new address with
• Check your settings for any “import” or “link” options that might connect to old accounts

Transitioning from your old account

If you need to keep access to important emails:

1. Forward essential emails to your new account before disconnecting
2. Update important accounts (banking, utilities, etc.) to use your new email
3. Set an auto-reply on the old account directing trusted contacts to your new address (only if safe)
4. Consider deleting the old account entirely once you’ve transitioned

Red Flags That Suggest Compromise

Watch for these warning signs:

In your inbox

• Emails marked as read that you haven’t opened
• Emails in “Sent” that you didn’t send
• Missing emails you’re expecting
• Password reset emails you didn’t request
• “New sign-in” alerts from locations or devices you don’t recognise
• Replies to emails you don’t remember sending

In your account

• Sign-in activity from unfamiliar locations
• Recovery options (phone/email) you didn’t add
• Connected apps you don’t recognise
• Forwarding rules you didn’t create
• Inbox rules that hide, delete, or redirect emails

From other people

• People receiving emails from you that you didn’t send
• Someone knowing the contents of your private emails
• Someone knowing about conversations before you tell them
• Strange replies to emails you didn’t send

On your devices

• Your password suddenly not working
• Being signed out unexpectedly
• The Outlook app behaving strangely

If you notice any of these, follow the steps in this guide immediately to secure your account.

Additional Support

Microsoft support

• Security dashboard: account.microsoft.com/security
• Privacy dashboard: account.microsoft.com/privacy
• Support: support.microsoft.com
• Account recovery: account.live.com/acsr

If you’re in immediate danger

Call 999 if you’re in immediate danger.

External support

• National Domestic Abuse Helpline: 0808 2000 247 (24hr, free, hidden on phone bills)
• Refuge: refuge.org.uk
• Women’s Aid: womensaid.org.uk
• Men’s Advice Line: 0808 801 0327 (for male victims)
• Galop: 0800 999 5428 (for LGBT+ victims)
• Karma Nirvana: 0800 5999 247 (honour-based abuse)

Tech safety resources

• Refuge Tech Safety: refugetechsafety.org
• National Network to End Domestic Violence (Safety Net): Resources on technology safety

Last verified: December 2025

If anything on this page is out of date, please contact us.