The password change that did not lock them out
You found the break-in, changed your password, and felt the relief of having fixed it. Then the small signs kept coming — password-reset emails you did not request, contacts saying they got strange messages from you, a feeling that someone still knows what is in your inbox. Here is the part most guides skip: changing your password does not remove a forwarding rule or filter an attacker left behind. If they set one up, they are still reading your mail.
How the persistence trick works
Early in a takeover, a careful attacker creates a mail forwarding rule or a filter that quietly sends a copy of your incoming mail to an address they control. Sometimes it forwards everything; more often it forwards only messages that match terms like code, reset, verify, invoice, or a bank's name. The rule keeps running no matter how many times you change the password, because it lives in your mail settings, not in your login. That is what makes it a persistence mechanism — it is how they stay in after you think you have shut the door.
Worse, your email is the reset address for your other accounts. As long as the rule forwards reset codes, the attacker can keep taking over your bank, shopping, and social logins — without ever signing back into your email.
Find it and kill it
The specific check, by provider:
- Gmail. Settings (gear) → See all settings → Forwarding and POP/IMAP: remove any forwarding address you did not add. Then Filters and Blocked Addresses: delete any filter that forwards, deletes, or marks-as-read your mail.
- Outlook / Microsoft. Settings → Mail → Forwarding: turn off forwarding you did not set. Then Mail → Rules: delete any rule that forwards or moves messages to an address you do not recognize.
After you delete the rule, change your password once more — any reset code the attacker captured while the rule was live should be treated as burned.
Then finish the recovery properly
Removing the forwarding rule closes the silent leak, but it is one step in a full cleanup. Work the rest — sessions, recovery contacts, two-factor, connected apps — using the complete guides rather than repeating them here:
- Is your email hacked? 10 signs and how to verify — to confirm what else the intruder touched.
- Recover a hacked Google account — the full, step-by-step Gmail recovery and lock-down flow.
If reset codes are still being intercepted, money is moving, or the attacker keeps coming back, account compromise recovery can trace how they are holding access and close it.
Sources
- Google Workspace / Gmail Help, Automatically forward Gmail messages to another account. https://support.google.com/mail/answer/10957
- Google Workspace / Gmail Help, Create rules to filter your emails. https://support.google.com/mail/answer/6579
- Microsoft Support, Use rules to automatically forward messages. https://support.microsoft.com/en-us/office/use-rules-to-automatically-forward-messages-45aa9664-4911-4f96-9663-ece42816d746
- Federal Trade Commission, How To Recover Your Hacked Email or Social Media Account. https://consumer.ftc.gov/articles/how-recover-your-hacked-email-or-social-media-account
