Microsoft Account Suspicious Activity from Unusual Source

So here’s a strange one. I thought I’d post here to get some opinions besides my own on this.  I’ll try to be concise as possible, if anyone wants more info feel free to ask. 

I was notified yesterday by Microsoft of unusual activity on my account. The notification came up as soon as I used the default Mail.app on MacOS.  The activity shows an IP address that goes back to the UK Ministry of Defence.

For the last week I’ve been out of town (went to Florida) and this is the first time I launched the mail app on the mac in 8 days.  I accessed my Microsoft account while I was gone both on an iPad and iPhone mainly via Verizon Wireless. I can’t recall if I did use public wife and/or if I accessed mail or not, I don’t think I did but am leaving it open as a possibility.  I think the trip may just be a red herring in this story because I find it strange that the notification came up the moment I used the mail app on my desktop.

Since the notification I enabled 2 factor authentication (yes I wasn’t using it) and changed my password.  There was a second time the account was accessed after this (4:24pm) and then it hasn’t been access since.

I did some searching and you will find others with a similar story to my own, mostly from a couple years ago.  I also turned up this Register article from 2015 that says the UK Ministry of Defence sold some of their IP4 addresses and they names were not updated.  Is it possible 4 years later that they are still incorrect?

Few other items

1)   All the activity seems to be grouped under “Automatic Sync” for IMAP.

2)   I am located in the US and have never traveled to the UK.

3)   I don’t run any non-standard mail clients, although I had briefly tested some out (AirMail for iOS comes to mind).

4)   I don’t have my account checked from any other service.

5)   I don’t work in an industry that requires any background check, etc.

My current best guess is that my password for the account somehow got out there and that I spammer is impersonating me.

Conversation 3 comments

  • AnOldAmigaUser

    Premium Member
    04 May, 2019 - 12:41 pm

    <p>Check your email address(es) and passwords at haveibeenpwned.com. Home page is for checking email addresses, there is a link to a different page for checking passwords. </p><p>Good opsec is to never connect to public WiFi, especially if you have cellular signal. It is also a good idea to check your Bluetooth privacy settings, or just disable Bluetooth when not using it. I wish I could get my wife and kids to understand this.</p>

  • simmonm

    04 May, 2019 - 12:56 pm

    <p>Thanks AnOldAmigaUser, I checked there in the past but didn't think to now. Both email and password come back clear.</p><p><br></p><p>For some reason I can't edit my original post or add text links here. I have screenshots of the log file from Microsoft too.</p><p><br></p><p><br></p>

  • jules_wombat

    04 May, 2019 - 7:30 pm

    <p>This has happened to me. My Microsoft account has been compromised, and £120 in Microsoft vouchers claimed against my account. Even with two factor Authentication, My account has been accessed several times from Dublin, Ireland, but I have never been there. Despite me sending Microsoft showing them these accesses using their own account access details, they still refuse to believe my account was compromised, and blamed me. Microsoft refused to believe that someone fraundently accessed my account. They could not provide any evidence of the vouchers being sent to my address or to my advantage. Basically Microsoft refused ti trace the disputed vouchers.</p><p>I can no longer trust my Microsoft account with a valid credit card, as it is insecure, regardless of enabling two factor authentication.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC