Updated Strange things are brewing in the Microsoft email world with several users reporting unusual login notifications for their Outlook accounts.
While an email of unusual login activity should always be treated with suspicion, the problem here is that the IP address causing the problem seems to come from Microsoft itself.
The messages, according to users, also appear in the unusual activity section of the company’s email website, ruling out a phishing attack. Some confirm that an automatic synchronization has occurred.
Microsoft’s support forums are full of confused and slightly concerned notification customers, who look like everyone at Microsoft or some miscreant with access to one of the company’s endpoints trying to access their box to letters. Users have wisely changed their passwords, but still sometimes see a successful sync among failed login attempts.
Even switching to two-factor authentication doesn’t seem to stop “unusual activity”.
As with many email providers, Microsoft triggers an unusual activity email or text message when it detects a sign-in attempt from a new location or device. Sometimes they can be completely legitimate; for example, connecting to webmail from abroad or adding a new mobile phone. Other times, they can be an indicator of nefarious activity.
Sometimes Microsoft ups the ante and blocks the user’s login to protect an account.
Register readers got in touch to complain about the situation, with one saying, “It’s been going on for a few days now with my wife and I both affected.”
Our reader went on to speculate that maybe there were bad actors using Azure (hence the Redmond IPs) to break into accounts or maybe it was all just a mistake by the from one of Microsoft’s administrators. We asked the company to clarify, but a few days later they still haven’t responded.
In the absence of an explanation from the Windows giant, The register asked a tame computer scientist his opinion on the nature of the problem. He joked, “Let’s start by observing that Microsoft deems ITSELF suspicious. I call that progress!”
He went on to suggest that aside from something bad in the single sign-on service, perhaps the bad guys were reusing passwords from various disclosure lists “and had a streak of irony deep enough to use Azure for breaches”.
Microsoft has been equally reluctant on its own support forums with a handful of employee comments interspersed among complaints suggesting changing your password, enabling two-factor authentication or simply logging out of your account on Microsoft. all devices.
Might be a fix if only one or two users were having difficulty, but the issue seems to affect a large number of Outlook.com customers.
One user noted: “Microsoft really needs to fix this, at the very least to confirm that this ‘unusual login activity’ (as they detected themselves and urgently alerted users to their account) does not is NOT an “account intrusion/compromise situation and maybe just an MS internal system issue OR, if it is a more serious problem, what steps will need to be taken to resolve.”
You would have to agree. The company’s relative silence on the matter is perhaps more concerning than the incident itself. If Microsoft responds with an explanation, we’ll update this article accordingly.
Another user said, “I would like to know why an IP address belonging to Microsoft is syncing with my Microsoft account, why it is marked as ‘suspicious’ and why has it successfully synced at least once before. ” ®
Updated at 0933 UTC July 22, 2022 to add
Following the publication of this article, Microsoft sent us this statement: “We are working to resolve a configuration issue that caused some customers to receive these notifications in error.”