Actually, you raise a very interesting and important point. It’s difficult to list all of the things that a hacker could change after they access your account.
Let’s look at a few of the most common things.
As you point out, hackers can change the Reply-to address so that people replying to your email reply to the hackers instead.
Sometimes, it’s obvious that the reply address is completely different. Other times, there will be very subtle changes, like a single letter difference in the email address that the person replying to you doesn’t notice.
Worse, a hacker might use your name as the display name to hide a completely different email address. For example:
Leo A. Notenboom <email@example.com>
When received in many email programs will show only “Leo A. Notenboom” by default – yet if the recipient replies, it’ll go to that hacker’s email address.
It’s also very common that a hacker would set up an auto-forward rule so that every email you receive is forwarded to them automatically.
Now, that may seem odd until you start thinking about account recovery and related scenarios. It’s one of the ways that hackers use your email account to hack into your other accounts including those of other online services, including your bank.
Address book entries and other rules
Hackers can also add, remove, or alter entries in your contacts or address book. You may think you’re sending something to Aunt Mary, but it might not be her at all.
They can modify your spam filter settings and rules. In other words, they can make sure that you see all of the spam that’s headed your way.
They can even alter any automatic filtering rules that have been supplied by your email provider. For example, in Gmail, if you have filters set up that automatically label email as it arrives, hackers could change those rules while they have access to your account.
They could even alter what server is used to send mail. For example, Gmail allows you to specify an alternate server to be used when you send email. There are various reasons for this, but it allows you to use your Gmail account to send email from a non-Gmail email address.
A hacker can change or even add that configuration without you realizing it. After they do, all of the email you send would go through a hacker’s email server rather than Google’s servers.
In the end, there’s just so much functionality that email servers provide these days that it’s hard to list everything that the hacker could possibly touch.
So, after you recover an account, the short answer is to check everything: all of the settings, all of the options, all of the rules, all of the filters, and even the contents of your address book.
It’s all fair game to hackers while they have access to your account.