Outlook email users alerted to suspicious activity from Microsoft-owned IP address Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. While an unusual sign-in activity email should always be treated with suspicion, the twist here is that the IP address at the root of the issue appears to originate within Microsoft …
I got this as well, and had not realised it was a Microsoft IP address. I just updated my password, noted that someone in America seemed to have successfully sync'd my account, and again regretted the fact there was no way to, for instance, simply block all attempts originating from outside of your registered country by selecting a specific setting within Outlook.
I do not know why this seems so hard for firms to implement. Yes it wont stop a dedicated attack against me by someone using a VPN, but first the miscreants would need to know which country I'm in, to know which VPN to set up, before they could try to access my account. And that is not how the vast majority of attacks come in. They are usually simply lists of email addresses, with lists of previously leaked passwords, and try your luck. Add in location blocking and I'd be willing to bet 99% of intrusions are stopped at source. Make it a simple on-off setting, so when people want to travel they can turn it off, and access there device from anywhere, and then turn it back on again when they're home.
This is not rocket science... I dont know why it isnt the default.
I fail to see your point, and I'm sure you understood mine. But I'll explain it again in case it wasnt clear.
By using a VPN, I mean that the miscreant would create a tunnel from their actual location to a location in my country of residence in order to trick, in this case, Microsoft into thinking that the access attempts were originating from my country. Yes, there are other ways that this could be done, but the use of VPN's to avoid location locking/identification is very common and widely understood. So I thought that would be quite clear...
I understood your point, but I don't think your explanation improved it. If you are trying to explain, why not just say 'local proxy''?
The 'tunnel' is irrelevant, and the 'VPN' is only a widely-understood example of using a local proxy (and some of the 'VPN' services provide the bare proxy without the overhead of a tunnel or private network)
> simply block all attempts originating from outside of your registered country
Appreciate this advice is not much use for free outlook.com users, but you can do this with Office 365/Azure/business Outlook accounts.
Create a conditional access policy. Grant = Block. Conditions: Include = "Any location" Exclude = "UK".
(be very careful, obviously!)
While I agree simple country filtering can block most miscreant attempts, there is a danger of locking some people out of their accounts permanently. I've recently relocated to a different country, and while I tried to update my address for the most important services before leaving, there are others I didn't get round to. Then there's the accounts where I need to receive an SMS on the old number before I can login to update the details... even with roaming, the message might take longer than the 10-minute window to arrive.
So, make the default safe for most people, but have a fallback mechanism for the edge cases.
iut is a deliberate policy, ready for the new microsoft protection systems they are selling.
they have DELIBERATELY removed critical functionality from 365 & azure then put it behind a pay wall.
A bit like inserting a DELIBERATE exploit into win10, that they did.
basically making it almost impossible to block the MS store in a business unless you are running the enterprise version... whilst still leaving in a policy for blocking the store, that actually does not work if it is enabled.
Then adding in a system for users to bypass any store block put in place ,by making the store accessible from 365 webmail & finally adding in a "linked in back door
it is all leading up to them selling "security services" in the cloud and them trying to force users into azure.
Then we have the dirty business of the MS authenticator
that PHYSICALLY track ANY user that has it on their device, providing telemetry data every 5 minutes back to MS!!!!
yep you thought it was just a random number+salt generator..... nope...... it is a GPS dog collar up your ass.
Happened to me as well, always a "sync" from a 13.x.x.x address. Changing my password seems to have stopped the messages.
I've also been having dropped daily emails from a particular subscription mailing list for the past month or so. Not sure if the two are related. You'd think MS could manage to get email right, FFS.
I've had this on my account; the root cause was my authenticating on an Azure/O365 web shell in order to run some admin Powershell commands against Teams. This showed up as an apparent login from an IP in Singapore that was MS-owned.
So the root cause may be people using their personal IDs rather than a Service Principal to run scripts in Azure
- In their ongoing attempt to be the one and only stop for everything IT, MS has decided to become a threats provider
- There is money to be made in hacking, and MS is all about making money
- Intelligent hackers have decided it was easier to infiltrate the company which controls and spies upon 90% of the world's personal computer estate instead of going after each victim piecemeal
- It's a feature. Won't fix
I’ve been working / playing with computers since being 4 years old, since 1984
Forget about the nonsense that the gubbermint get up over the same timeline, ie false flags, and other assorted stupidity. Just on this site, I am reading, or should I say, “trying to read” the content, and because it is littered with adverts, the screen will suddenly jump about, because the advert server somewhere else is slow AF
FFS get a f***ing grip morons
“I Like Money” - Frito
Dunno what you're on about regarding false flags, but yes, inline adverts are shit and cause the page to jump about erratically and frequently seem to grab clicks/taps that were intended to do something else, not to mention more than a few take any form of interaction as being permission to throw away what you were reading and go to a different site for even more adverts....
...so the painfully obvious question is why are you reading a tech oriented site and not using a blocker to block, well, everything.
Governments of all persuasions spout the bullshit they want you to hear, just ignore it. Don't get hung up on so-called false flags, instead worry about what you're letting have access to your device. That's a much more insidious problem.
-> https://www.theregister.com/2022/06/13/open_source_office_suites/
If you use MS Outlook with third party IMAP servers (presumably POP3 too, and Outlook), your login details are passed to Microsoft.
When I recently tried Office 365 for Mac, I set up Outlook. I was expecting to see logins from my IP address. What I saw was logins from Microsoft. There is only one conclusion from this, for my circumstances but probably in general: Microsoft is storing the log in details in plain text. They have to be, as the server I use only has plain text logins over TLS. This cannot be hashed in any way. Perhaps Microsoft is hashing the details when it stores them, but it has to have a way to retrieve the plain text version.
I contacted MS about this. They said they do this to "enable server side search". This is not necessary, as IMAP servers support server side search - there is no requirement for Microsoft or anyone else to have a login to do this.
If you use Outlook with an IMAP server, consider it to be unsafe unless you can prove otherwise. Naturally, I do not use Outlook and changed my passwords.
It is worth mentioning that I saw the same behaviour with Outlook on Android.
Plausible! (you have to sign in to your microsoft account in order to validate your ability to use the Office 249 apps that are downloaded to your device, and it stands to reason that it keeps the configuration information for the email accounts stored in your O248 account.)
Happy but also very aggravated to see this - I spent a good chunk of time this weekend and beyond attempting to secure my 85 year old nan's Outlook account.
It didn't help the night before the sign in activity emails came through, my mum and aunt downloaded a suspicious Google play store app, which I assumed was the cause of it - looking at the activity, I could see they were Azure IP's but I assumed some miscreant had rented/stolen a 365 server to carry out an attack.
Still kept coming after a full account lockdown (Account sign out, new and Unique password set), so I went the full hog and enabled Multifactor Authentication on Monday.
That had seemed to have stopped the suspicious account activity, but now I fear this was all a Microsoft screw up compounded by bad timing, and I may owe my mum and aunt an apology...
"I spent a good chunk of time this weekend and beyond attempting to secure my 85 year old nan's Outlook account."
It would have been faster to delete Outlook and install something better. Does your nan need a bunch of "advanced functionality" or just a way to send and receive email?
Touch wood it seems to have stopped.
At least it wasn't just me. I started getting these alerts on a couple of accounts coincident with going on holiday and logging in from a different location. When they continued when I got back I thought MS were getting just a tad too suspicious. I should have realised that incompetence was more likely than an excess of competence.
I have 6 MS email accounts, currently all accessed by Thunderbird via pop. The oldest is my Hotmail account, created when Hotmail was new and exciting, up to my latest (something like myelectriccar at outlook) for dealing with all things car related. Electric cars need a lot of accounts!
Last week (13th) I recieved a 'suspicious activity' email on one account which was then locked out from pop. I logged in through Firefox and changed my password. To do this I had to enter my recovery email address (another outlook one) and then get a code before I could continue. I got the code and a suspicious activity email too. So i changed the password on the second account which prompted the first account to repeat the suspicious activity email. That's when I realised this was all just MS sillyness and ignored it.
On the 14th the remaining 4 accounts got the email and were locked out from pop. I decided to leave it a few days before changing the rest of the passwords and setting the recovery email for all accounts to a gmail one.
So far no more problems.
Hummm you all seem to be using Outlook client. I don't. As near as I can tell Thunderbird looks the same as the web based mail. Microsoft seems to bork every thing it touches. I understand that when you have to do the cooperate dance that fine but private email, come on .
I get the same email and the account is locked until a new password is provided. As soon as the new password is entered my mail client polls the mailbox and immediately the account is blocked again. The only activity showing as suspicious is our routine email checking from the same IP address, nothing has been altered for years.
In the end I simply abandoned outlook.
Yep.. there is an "exploit" in the login systems of Microsoft. for azure & 365,
it is possible to login as the admin of someone else's 365 instance, if you "catch it right"
nope i'm not going to explain how to do it.
and also an attack exploit against accounts....
MS are NOT interested., they are even LESS interested once i told them i'm not here to work as a "free Q.A staff" for their company, have a massive long running case with them over another of their policies., where they are REFUSING support requests.
Basically this is part of the attack for 365:
You use azure to run your attack systems INSIDE MS azure & in some cases a 365 instance, now becasue you are running these attacks from inside they same system cloud as Ms 365 , most of the traffic is NOT SEEN externally.
you then run desktop instances of clients to leverage the attack(inside azure), get a user to click on a link and get an authentication token, ONCE YOU HAVE THIS YOU DO NOT NEED to log in again.
since MS azure sees the "fake" account as never moving or changing the security status. *(its running inside azure from MS data centers)
The login will NEVER appear inside the azure back end. under the normal authentication systems.
Futher more MS is totally unable to track & resolve TCPIP v6 addresses, there is NO WAY to filter the traffic or set any kind of triggers, country & other filters are useless.
(most mobile phone networks use tcpip v6)
once you have this login, you then leverage dummy email zones to match the users you are attacking, by using "names cheap" and google email re-directors
and start setting up filters to put ALL the users email into the ARCHIVE SPAM folder, at this point the hacker goes thru, reads the email , replaces or deletes the content & marks it as NOT spam, putting it BACK into the user email box.
they also setup dummy businesses with VERY similar names on "namescheap" but set the mx records to google.
They also POISON your address book, removing the "genuine" email addresses" and replacing it with poisoned ones. (same contacts , slightly different domain spelling)
Start typing an email address & you get the poisoned address, which redirects to their dummy domain so they can add "wares" before sending to the real recipients.
It is a highly efficient attack strategy, and they can run inside your business for months , gradually leveraging into customers & suppler systems using the same methods.
They are VERY VERY careful and become highly proficient on the running of the business & financials ,plus all systems related to money relases.
My Cat was receiving "Unusual Activity" notices from Microsoft's domain in his email. He was alarmed by this activity and notified me, but I just thought he wanted me to pet him. After all the meows, I followed him to his computer and noticed an email from Microsoft indicating Unusual Sign-In Activity. I rewarded my Cat for bringing this to my attention! He had changed his password and implemented dual auth and still received the messages on an intermittent basis over several months now. Also, after looking into this, I have to commend The Register for being one of the first to report the problem publicly since this is not being mentioned anywhere online, for the enormity of the issue/threat this could potentially be.
First, I saw he had intermittent notices over several months from Microsoft for access to his account from Russia and today was one from Israel. My Cat is very patriotic so probably is a target which I have to be aware of. These messages look entirely legit if not identical copies of Microsoft messages. When trying to determine if Microsoft is miraculously spoofed given the change in controls to prevent this, like we use to see in the past on a regular basis, there is no indication of spoofing. However, a user receiving a notice like this just can't entirely rule this out or make any assumptions since you may click on the link provided and end up in stormy waters. This type of issue can cause enormous problems especially for the user but also for the savvy ones who have tried to educate their Cats about how to identify spoofing and to prevent them from falling for it. I might add to inform your users about notices from providers and to not react by clicking on ANYTHING and to have your company cyber professional summoned regarding issues of uncertainty and notices of any kind. When looking over these messages, I'm still not entirely convinced that Microsoft is not being spoofed and are circumventing the implemented controls to prevent this. Again, if this is happening, EVERYONE needs to slingshot their thinking back to the day spoofing was easy and our certainty of the original source cannot be taken for granted.
Now, if this is not spoofing - where is the accountability of the gravity of the security breach this causes the users and professionals like my Cat working in this space??? This is a very serious issue regarding the privacy of everyone using Outlook in ANY form, from the free version to the commercial versions.
In my Cat's email we assumed the spoofing scenario to be safe and sent the messages to abuse@microsoft.com. One of the reasons we decided to do this is that even after changing passwords and using dual auth there never was any other indication we could find of compromise of the email and the Microsoft junk was catching all of these notices. So even Microsoft was treating these notices as spam. FYI, we even forwarded these messages to phishing-report@us-cert.gov. Microsoft will send you a notice saying they received the stupid thing without any follow-up, and you will never hear back from .gov for much of anything and everybody knows it, so most people don't ever bother reporting much of anything to the goo logs. There were instances of Microsoft and .gov domains actually rejecting the reporting, but it was not consistent and only a few were rejected. I might also add that I have gathered this situation happening for IMAP or POP, it doesn't matter which.
The above irregularity, uncertainty regarding sources of information on communication platforms on complex protocols can be very time consuming to identify the cause and really the providers and the .gov need to be more aggressive in resolving such matters involving people's personal privacy, especially when this distracts from the user's mission resulting in a decrease in productivity or even just finding a job or buying treats for my cat because we are spending so much time trying to figure out institutional problems affecting many people across the world.
"We're working to resolve a configuration issue causing some customers to receive these notifications in error."
How many times must we hear this excuse!
Unfortunately we are stuck with Office 365 but we will NEVER place any of our critical infrastructure in Azure for this and many other reasons.
Over the last 2 years there have been multiple outages and oddness in the Microsoft world that were caused by some Human(s) making a change that caused the problem! One would think a company of Microsoft's size and scope would have quality change management in place, but apparently that is too much to ask!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
