[German]I would like to share some brief information with you, along with a question for our readers. It concerns the activity history of your Microsoft accounts. A blog reader informed me that he suddenly noticed access attempts from unknown IP addresses—I can't see anything unusual on my account. His account appears to have been hacked despite 2FA.
Advertising
A reader reported something strange
German blog reader Thomas B. emailed me the other day and asked: "Have you ever looked into your Microsoft account and checked your login activities under Security to see if there are any that couldn't have been made by you?" He had checked his Microsoft account by chance and found the following entries:
He has two Microsoft accounts, one of which I have shown with the last activity in the screenshot above. The activities history shows: Both Microsoft accounts were successfully accessed from a foreign IP address in Ireland. The screenshot above shows the message "Sign-in blocked (account compromised)".
My cross-check was unremarkable
The reader was certain that he had not accessed the accounts. I then checked one of my Microsoft accounts, but the history under "Recent activity" was simply empty – which shows how rarely I use this account.
When I told Tom this, he said, "Yes, there's nothing there for my wife and another Microsoft account either. What surprises me is how this successful login could have worked, even though I have MFA enabled on all my accounts." And that's also brought me to think about.
Advertising
What's going on?
With multi-factor authentication, only the account owner who also has access to the authenticator should be able to successfully access the Microsoft account. Since Tom was an MVP, I think it's unlikely that this was a mistake.
So how is it possible that someone from a foreign IP address was able to successfully access the Microsoft account despite MFA—at least that's what it says?
Account was apparently hacked
I had prepared the above text and asked Tom to read it. Afterwards, he wrote to me: "… I saw that Microsoft had sent me an email to my outlook.com inbox weeks ago saying that someone had apparently tried to send mass emails from my inbox … It's stupid that I was never made aware of this … except that I happened to look at my outlook.com mailbox now …".
Furthermore, the reader's Microsoft account on nexusmods.com was banned due to SPAM. The reader concludes that two of his Microsoft accounts were hacked or compromised.
I replied to the reader: "Do you have any explanation as to how this could have happened? You wrote that 2FA was active. Could a token have been stolen? Otherwise, it would mean that the account was compromised by Microsoft." Tom replied:
Yes, you're probably right, it's more extensive, and deeper security mechanisms have been compromised… otherwise I can't imagine it either. … I find it strange that there are two different IPv6 addresses from the Azure subnet listed there… I haven't noticed anything else unusual so far…
… and so I also find it strange that it's NexusMods, which also points to compression, even in a data center on the island …
There are also no procedural emails that can be used if you are blocked; they don't arrive. Only the emails exchanged directly via SMTP between NexusMods Support and me work… but even there there are problems… I have now written to a few NexusMods users whom I can also contact via private email. Let's see what happens…
It's all very obscure, but the only thing I can think of is that "if Microsoft's infrastructure has been compromised, that could explain it." That's where I'd like to pass the topic on to the readers. Presumably, hardly anyone looks at the activity history of a Microsoft account. Maybe check it out and comment here if you notice any unusual activity or if there is an explanation for the above situation. With 2FA security for Microsoft accounts, something serious must have happened.
Later my German blog readers pointed out that's not a single case. But I will compile that into part two of my articles series.
Articles:
Has your Microsoft account been hacked? Do you see any unusual activity in your history? – Part 1
Unauthorized logins to Microsoft accounts despite 2FA – Part 2
Advertising
I've been actually seeing the opposite… up until a few weeks ago, there were tons of entries (unsuccessful login attempts) listed on the login activity page, from all corners of the world. It was understandable, as I have a rather short username without numbers.
However, lately there are literally none – other than my regular log in. So I'm guessing they're either filtering them out now (for "psychological" purposes), or they actually implemented some heavy barriers on the side of logins.
Other experiences …
https://learn.microsoft.com/en-us/answers/questions/5495193/microsoft-sign-in-from-ipv6-associated-with-micros
Tom thank, I know that link – will cover it within the 2nd article in future.
I have also recently seen this in the UK.
An early morning "successful sign-in" from an IPv6 address in the Netherlands (2a01:111:f402:f0c4:f142). I have 2FA enabled, wasn't in the Netherlands and didn't knowingly get a notification from the Microsoft Authenticator app (unless it timed out when I was asleep).