Microsoft/Outlook.com foreign failed login attempts?

[nageme]

The other day I was searching for something in a Microsoft (/ Outlook / Live / whatever they call it nowadays) account's settings, and found something unexpected.

There's a page showing "Recent activity". In my case that means sign-in history.
And a few times per week various attackers tried to login, from various countries.
These attempts are labeled "Unsuccessful sign-in", with the details saying "Incorrect password entered".
Seems to be a common problem.

There's a "Look unfamiliar? Secure your account" link. It just opens a popup:

Thanks for telling us.
Don’t worry. This sign-in attempt was unsuccessful, so there is no need to change your password.

If anyone's seeing these hack attempts, how often do you get them?


By the way, someone suggested you can create a new Microsoft email alias, make it primary, and turn off login for the exposed email address or addresses (under "Sign-in Preferences").
Apparently, by default all aliases can be used for login, even the ones that aren't the primary.

 

[Assimilator]

If anyone's seeing these hack attempts, how often do you get them?

I've never checked because I have 2FA turned on for my account and thus literally don't care. Even if a dips**t attacker got hold of my password somehow, there's no way for them to login without having my physical 2FA device and fingerprint as well, which realistically means that my account is safe unless I am abducted, and nobody gives enough of a s**t about me to do that.

If you don't have 2FA enabled for every account that offers it, take a few minutes outta your day and do this. Including for your TPU account.

 

[nageme]

Can you have a look? I'm curious.

I found it interesting that only the compromised usernames were the main one (oldest), and one alias which I did consider relatively "less private".
That's based on the only 1-month history you can view.

I'm using TOTP on more important accounts.

 

[Solaris17]

Yup pretty normal; the world’s a scary place when you look at the logs. Don’t reuse passwords and enable MFA. My email is available in a lot of places my account is full of these.

 

[Assimilator]

Can you have a look? I'm curious.

15 attempts on Saturday, mostly from China; 16 yesterday, mostly from Brazil.

My level of concern in this regard remains nil, I might honestly go passwordless in favour of 2FA which I'm using anyway. The only thing putting me off doing so is Microsoft requires their own authenticator app to be used in that case, literally all my 2FA codes are in Google Authenticator, and I am too lazy to migrate them to MS's app.

 

[Bill_Bright]

Yup pretty normal; the world’s a scary place when you look at the logs. Don’t reuse passwords and enable MFA. My email is available in a lot of places my account is full of these.

Same here. Odds are, it is a bot (automated bad guy) poking around. They do 100s of 1000s, maybe millions every day, hoping to get lucky with 1 or 2. Its how spam works too.

The problem is, everyone wants our email address - from doctors, to stores, to the IRS and state revenue offices, the DMV, you name it. And because all these offices implement the latest, state of the art security measures, and have the most dedicated security people and C-Level management... choke... cough... choke... cough. Okay - almost drowned in my own BS.

The truth is, almost every single corporate hack and company security breach occurred because some one in the IT security section failed to do their jobs and because upper, C-Level management don't care because they know they will not be held accountable for their [criminal - IMO] negligence.

Example - the HUGE Equifax breach a few years ago that compromised the personal data of over 160 million people happened because bad guys exploited a vulnerability - a previously identified vulnerability for which the developers had distributed the patch for to Equifax months before the breach!

But rather than apply the patch ASAP, Equifax IT security sat on it - much in part because IT management and the Equifax c-level execs didn't put the security of their customers personal information a priority.

Note too none of our personal information was encrypted either!

NO ONE was held accountable! The only person who got into any trouble was a low-level manager who was charged for insider-trading for selling off his Equifax stocks after learning about the breach but before the breach was reported or announced to the public.

Yes, this was nearly 8 years ago - but NOTHING has changed! Nearly every breach still occurs because someone failed to do their jobs.

***

Anyway, if you use gmail here's a neat trick you can use. It won't stop the hacking attempts but it can help you identify how/where the hacker (or spammer) got your address.

Gmail supports unlimited gmail addresses. To use these, let’s assume you created a Gmail account using the address of bilbo.baggins@gmail.com. Simply add a plus sign (+) after the username and Gmail will ignore everything after the + in the address.

Example, bilbo.baggins+xyzsite@gmail.com or bilbo.baggins+zyxsite+ebay@gmail.com.

Gmail will also ignore any plus sign (+) or dot (.) in the middle of the username. For example, bil.bo+bag.gins@gmail.com, bi.lbobaggins@gmail.com, and bilbobaggins@gmail.com all work.

Any email sent to any of those addresses will come to your real Gmail address, in this case, bilbo.baggins@gmail.com.

So, when you register at a new site, you can create your account using a unique Gmail address that will goes to your original Gmail account. Then if you start getting a bunch of spam sent to that unique Gmail address, you know which scumbag company sold your email address to the spammers.

***

Oh, check your router logs (if your router supports them). Odds are, there have been a bunch of hack attempts on your home network too. Netgear supports such logs. I see all sorts of what Netgear calls various "attacks" in my logs from all over the world. Most are innocent from legitimate companies like Akamai, Google, Level 3, etc. But some are from organizations in China, Russia, Poland, Thailand, Vietnam - why are they banging on my router? IDK. But I do know they didn't get in!

If you ever experience a significant network slowdown, check your logs for that time period. You might have been under a DoS attack.

 

[nageme]

15 attempts on Saturday, mostly from China; 16 yesterday, mostly from Brazil.

15 times per day!
I see an average of maybe 0.5/day. Sometimes 1-2 per day, sometimes a few days without anything.
And yes, mostly China and Brazil. Also India, UK, Mexico, Saudi Arabia, Spain, Uruguay.

The only thing putting me off doing so is Microsoft requires their own authenticator app to be used in that case, literally all my 2FA codes are in Google Authenticator

Microsoft, at least Outlook.com here, is standard TOTP.
So the same as Google Authenticator (not that I use that either).

Gmail supports unlimited gmail addresses. To use these, let’s assume you created a Gmail account using the address of bilbo.baggins@gmail.com. Simply add a plus sign (+) after the username and Gmail will ignore everything after the + in the address.

It's more useful for official senders, because attackers can just remove everything starting from the plus sign.
Microsoft's aliases are more useful, but you can only have 10 of them currently.

More complex alternatives are standalone email redirectors like Mozilla's Relay or addy.io.
But the real solution is for the email standard to evolve, and include built-in mechanisms.

 

[Bill_Bright]

It's more useful for official senders, because attackers can just remove everything starting from the plus sign.

Nah! First, as I noted, odds are the attacker is a bot - not a person.

Second, badguys are lazy opportunists. They go for the easy pickings. They just are not going to spend time trying different iterations of your email address. They will just move on to someone else.

Now this changes if the bad guy is specifically targeting YOU personally. But then you have bigger issues to deal with.

More complex alternatives

I didn't say, suggest, or imply it is the panacea for all hacking attempts. In fact, I didn't even suggest it would stop any. I simply said it is a trick to "help identify" the scumbag who sold your address to the bad guys.

 

[nageme]

@Bill_Bright

Not talking about a guy editing emails addresses manually.
They have automation for the whole operation.
It's just a single regex search and replace. I wouldn't be surprised if it's already there in the standard tools they use to import emails into their database, or directly in the attack script.

 

[Bill_Bright]

Gee wiz. For the third time, it is just a trick to "help identify" the scumbag who sold your address to the bad guys.

Here's a thought, nageme. Don't use it.

 

[Steevo]

I get them too

You can see the IP and then use a site like domaintools to see that MS is about as retarded as they get on security since they know that there are multiple offending IP's that belong to botnets they could just ban and work with edge network providers to stop the activity, but then who would they sell information to for advertising?

For example this "US sign in attempt" that is actually for a "cloud data provider" based in east Africa using renter server space in the US and performing a poorly implemented VPN bounce that also has no abuse center to report anything to and is based in Germany, so the German shell company buys server time in the US and bounces their IP to said server and uses it until they run out of money funded by Russia, China, or whoever. Or the old Biterika Group which is a front for Russian state sponsored hacking that just don't care and have been running against US based IP's/services for years trying to find soft targets just for the mayhem (we have done the same to them, its just to sow anger and discontent). Will MS do anything about this with the current sanctions in Russia or China, or the obvious bot nets running attempts against tables of email addresses? No, that would costs a few million in network infrastructure hardware to run and they instead want to bring your data back to see what they can sell about you. They know I downloaded qtorrent and ran it to download Cinematic Mod 13.

A simple $700 firewall allows me to block based on geolocation, stealth mode which doesn't respond to anything or even broadcast ACK packets, kick IP's for attempting to login, presents a offensive oversized page to attempts to login that acts as a bot trap to a external site and handles all this with a 1Gbps connection, it also kicks IP's for flooding/DDOS attempts and is performign SPI/DPI with enforced virus, malware, and real time blacklisting updates. But MS can't somehow figure it out.

 

[Bill_Bright]

Your basic Windows firewall is "simple", yet still effective. Still, I would hope a $700 firewall is a bit more than that.

 

[Steevo]

Your basic Windows firewall is "simple", yet still effective. Still, I would hope a $700 firewall is a bit more than that.

Its for Dr's office I manage the IT for.

 

[nageme]

They can't categorically block based on geolocation because people might travel, and VPN or server providers do have legit uses.
But they can require special handling when something is unusual. I assume they do something like that?
I assume Microsoft implements security measures better than most.

BTW, you can at least disable "browsing and search" history. And "apps and services", whatever may be there.

 

[Bill_Bright]

Its for Dr's office I manage the IT for.

Ah! That makes sense. Still, "simple" does not seem appropriate - though for that money, I would hope using the menu options is.

They can't categorically block based on geolocation

Who's "they"?

Of course companies and organization can - and do. My bank, for example, blocks access from certain locations. So does my town.

 

[phanbuey]

geo blocking is super common actually, we use that and IP whitelisting all the time as cheap and effective security.

 

[Steevo]

They can't categorically block based on geolocation because people might travel, and VPN or server providers do have legit uses.
But they can require special handling when something is unusual. I assume they do something like that?
I assume Microsoft implements security measures better than most.

BTW, you can at least disable "browsing and search" history. And "apps and services", whatever may be there.

They could easily geo block based on location, there are far too many third world countries that user A has never logged in from and probably will never and as far as VPN, most of your VPN services are a joke, they are merely source routed requests and you are granting them access to man in the middle if they actually do what they say, and not being bound by US law for many of them they are NOT liable to subpoenas, they claim to not keep logs, but I claim to be a french lingerie model and since its the internet who can discredit me? Also good luck suing a Panama company with their current Asian political affiliation