Outlook users report suspicious activity from Microsoft IP addresses • The Register


Updated Strange things are brewing in the Microsoft email world with several users reporting unusual login notifications for their Outlook accounts.

Whereas an unusual Login activity emails should always be treated with suspicion, the problem here is that the IP address causing the problem appears to be from Microsoft itself.

The messages, according to users, also appear in the unusual activity section of the company’s email website, ruling out a phishing attack. Some confirm that an automatic synchronization has occurred.

Microsoft support forums are full of customers who are confused and a bit preoccupied with notifications, which to everyone looks like Microsoft or some miscreant with access to one of the company’s terminals trying to access their mailbox. Users have wisely changed their passwords, but still sometimes see a successful sync among failed login attempts.

Even switching to two-factor authentication doesn’t seem to stop “unusual activity”.

As with many email providers, Microsoft triggers an unusual activity email or text message when it detects a sign-in attempt from a new location or device. Sometimes they can be completely legitimate; for example, connecting to webmail from abroad or adding a new mobile phone. Other times, they can be an indicator of nefarious activity.

Sometimes Microsoft ups the ante and blocks the user’s login to protect an account.

Register readers got in touch to complain about the situation, with one saying, “It’s been going on for a few days now, me and my wife affected.”

Our reader went on to speculate that maybe there were bad actors using Azure (hence the Redmond IPs) to break into accounts or maybe it was all just a mistake by the from one of Microsoft’s administrators. We asked the company to clarify, but a few days later they still haven’t responded.

In the absence of an explanation from the Windows giant, The register asked a tame computer scientist his opinion on the nature of the problem. He joked, “Let’s start by observing that Microsoft deems ITSELF suspicious. I call that progress!”

He went on to suggest that aside from something bad in the single sign-on service, perhaps the bad guys were reusing passwords from various disclosure lists “and had a deep enough irony streak to use Azure for breaches”.

Microsoft has been equally reluctant on its own support forums with a handful of employee comments interspersed among complaints suggesting changing your password, enabling two-factor authentication, or simply logging out of your account on Microsoft. all devices.

Might be a fix if only one or two users were having difficulty, but the issue seems to affect a large number of Outlook.com customers.

A user noted: “Microsoft really needs to fix this, at the very least to confirm that this ‘unusual login activity’ (as they have detected themselves and urgently alerted their account users) is NOT a situation of “account intrusion / compromise” and possibly just an MS OU internal system issue, if this is a more serious problem, what steps will need to be taken to resolve it.”

You would have to agree. The company’s relative silence on the matter is perhaps more concerning than the incident itself. If Microsoft responds with an explanation, we’ll update this article accordingly.

Another user said, “I would like to know why an IP address belonging to Microsoft is syncing with my Microsoft account, why it is marked as ‘suspicious’ and why has it successfully synced at least once before. ” ®

Updated at 0933 UTC July 22, 2022 to add

Following the publication of this article, Microsoft sent us this statement: “We are working to resolve a configuration issue that caused some customers to receive these notifications in error.”


Comments are closed.