[German]Brief information to users who use private Microsoft accounts (i.e. no self-managed company accounts). Are you currently receiving security warnings for Outlook accounts, stating that these accounts are now blocked due to suspicious activities? Often with the note that suspicious logins to the Microsoft account have been detected. A blog reader just contacted me about this and shared a theory. After a short investigation, I found numerous reports since a few days, where people observed, that their outlook.com accounts are being synced from foreign IPs (despite 2FA). It's not clear, whether it's a service issue or a security flaw.
Outlook.com account suspension notifications
German blog reader Georg D. contacted me via e-mail (thanks for the tip) and reported that the security mechanisms at Microsoft's e-mail service outlook.com seemed to be going a bit crazy. He wrote:
Hello Mr. Born,
at Microsoft's free mail service "Outlook.com" the security mechanisms seem to go crazy (or someone is playing around in Microsoft's system?).
On Friday, my sister informed me that she had received a security warning by mail to the security mail address stored in your Outlook.com account.
He did send me a screenshot of his German notification, saying that probably another person has access to the Microsoft account. The account has been suspended, and no more POP3/IMAP connections are possible. However, it was still possible to log in to the web interface. According to Georg, after logging in to the web interface, he could see suspicious logins was made from the USA via IMAP protocol to the online account – rather unlikely for a German user.
I entered the IP address 184.108.40.206, reported in the login attempts, in this database and other domain tools. The IP address range 220.127.116.11 – 18.104.22.168 is registered for Microsoft itself.
A second case in France
Well, the above case could have been dismissed as an isolated event. But during my first search for the above IP address, I came across this French-language forum where a user complains about constant security messages:
Hello, since 4 days my email notifies me about an unusual connection to the USA and I have to change the password (for the 4th time this morning) but nothing happens.
This morning I had this unusual notification again. I changed my process of how my iPhone and PC access the Microsoft email account. So I am not infected. Is this a bug from outlook USA?
… Because it is wearing me down … Thanks for your opinions.
Also there are various IP addresses mentioned which all belong to Microsoft. The discussion is not so purposeful (at least to my taste), because it asks if the user could not exempt the IPs in question from monitoring. The best hint was that a third party is trying to access the account – and that the two-factor authentication (2FA) employed by the user would probably help there. The problem would take care of itself …
The blog reader is suddenly affected himself
Georg mentioned in his email that he was rushing into the same problem shortly after his sister called for help. He had also found out that "the IP address probably belongs to Redmond," as he put it. He wrote:
At the same time, I noticed that I had also received an identical security warning for my Outlook.com account. My account was also blocked from sending mail. After a web login, I also had a suspicious login in the web interface.
Here, another IP is used, but it also belongs to the IP address range mentioned above, which is assigned to Microsoft. Then his account was blocked a second time and to this he wrote:
Now today I received another security warning from MS. Once again the account was locked. After logging into the web interface this time there are no suspicious logins logged. In the meantime my sister writes me that she also got the security message again and the account is locked.
More sources on the web
Georg did some research on his own and came across some other sources on the Internet apart from the case in France I linked to above. For example, he came across this article by a victim at Microsoft Q&A:
Under the title Unusual sign-in activity email from MS , the user reports two notifications from his email account. The activities originate from Microsoft Azure server IPs. Another affected user confirms the observations – with nothing in the way of a response in the Q&A session.
Georg also sent me the link to this Microsoft Answers forum post where the behavior (occurred on July 13, 2022) was reported as of July 14, 2022. The Outlook account user also received a security notification about unusual activity.
OUTLOOK MAIL ACCOUNT – UNUSUAL ACTIVITY
I received an email Alert this morning from Microsoft Outlook Security that they found unusual activity on my account.
When I checked my account activity online, I saw a suspicious IP address: IP: 22.214.171.124 (geolocated in Redmond, WA — A MSFT IP….hmmm…) that just Successfully auto synced to my Outlook Mail account within the past few hours at that time.
I immediately changed my password and also added 2-factor Authentication to my account and noticed that the suspicious IP address was then "unsuccessful" at auto-syncing a few times, but now I see this same suspicious IP back again "successfully Auto-syncing" with my Outlook account even after all my password and 2FA changes.
Is this a known issue at MS? Or has my account been irreparably compromised?
Is there any way that Microsoft can secure my existing Outlook mail account?
So it's a strage thing, even with 2 factor authentification (2FA) he sees auto-syncing with his account. The thread is currently exploding, as he has linked many more references to other threads at Microsoft Answers in the Outlook forum. It looks like Microsoft Outlook.com accounts can be viewed by third parties.
What's going on?
A former Outlook MVP has come forward within the above MS Answers thread and wrote, that there is no known internal problem that is producing these erroneous messages about synchronization. If the accounts are really being queried by third parties, this is a serious issue. However, the MVP is currently tipping that it may be a bug (service issue) because many people are experiencing it.
Blog reader has reported other findings like this – and a search for "unusual sign-in activity email from MS" throws up more hits. The reader writes:
Microsoft security advisories always talk about either the IMAP or POP3 protocol. In my case, I can rule out that at the times in question a client of mine would have generated access via IMAP/POP3, let alone have a client of mine running in the US or in an Azure resource.
To me it looks like the security mechanisms are just "going haywire" and causing these arbitrary blocks.
That would still be the least critical cause in my view, because then at least the accounts are not compromised, even if usability is severely hampered (due to the account suspensions). One suspicion is, that Microsoft's scans of the email accounts (for NSA or other purposes) triggers the AI for suspicious activities.
I had this week a phone call from a blog reader, reporting his observation, that the firewalls used within the company are suddenly scanned from IP addresses belonging to Microsoft. But the reader did not come forward with more details. My first idea, that Azure instances have been hacked and used for attacks, isn't to probable.
There is another explanation – but I can't verify it currently, as my Outlook account is not affected yet. But during my research I came across this warning from the national cyber security body NCSC from Switzerland, who warn against similarly crafted notifications in the form of phishing emails.
However, it is about warnings of alleged access attempts from Moscow (Russia). These mails clearly fall under the category of phishing. However, the case described in the above e-mail is slightly different from what the reader described (he sees access attempts in his account).
Final question: Has anyone from the readership also been affected? Are there similar observations – e.g. firewall accesses from IPs in the Microsoft Azure area? I am still thinking that Azure instances have been rented or taken over by attackers and are currently being used for such attacks. I will try to escalate this case to Microsoft, to find out, what's going on (service issue or security issue with hacked accounts).
Addendum: I've searched Microsoft's Answers forum for user reports and left a link to this article. I also asked the Microsoft forum moderators to escalate the topic to the product group (I haven't the rights for that in my community moderator role for Windows). Now there is a feedback in several threads, where Microsoft is confirming, that the issue is known. Here is an excerpt on one reply:
Thank you for the information. Please be advise that Microsoft is aware of this known issue already. This started to happen even last week and we are already working with this matter. We even have created a ticket number for this issue while it is still happening.
The ticket number for the emerging issue is INC31680156.
So they are on it, but no idea when it will be fixed.
[EDIT] They also confirmed that the account was secure, no need to change passwords, etc.
It should be fixed
Addendum: In Microsofts Answers forum there is a post from D. Horvits saying:
07-28-2022: (D. Horvitz)
Received the following "updated reply" today 07-28-2022, from MS Outlook Support regarding my original Support Case ("Trouble Ticket") submitted on 07-14-2022:
"Let me inform you that the fix has been successfully deployed by our Engineering team for the outage which you were facing unusual activities in your account."
Although the MS Support response above is somewhat vague in regard to the wider "unusual sign-in activity" issue, it does appear that the original issue has mostly been corrected for many MS Outlook Users including myself.
But please advise if you are still seeing NEW instances of the Unexpected Microsoft IP (IP: 13.101.XXX.XX) appearing within your Outlook "Recent Activity Page."
So once again, hopefully this issue has finally been resolved systemically & globally.
I also added this same update to my original main MS Community posting.
So the issue should be fixed now, right?
Cookies helps to fund this blog: Cookie settings