[TIP] Microsoft Account got hacked. PW change didn't help!

[Metanis]

I'm a slow learner!

Story: Small business customer got their sole Outlook.Com email account hacked. Of course, that's also their Microsoft Account. Customer was vague but I think they fell for the remote access Microsoft Tech Support popup.

Subsequently someone from Nigeria was replying to their legitimate email requests and trying to scam banking info from everyone they could. PS, their English was very good and they used complete sentences and even used my customer's cute little signature block. Here is a sample of the hacker's addition to an email thread trying to get a real customer's payment info:

Hi,

Please note: Henceforth we are unable to receive credit cards payments
or checks, payments are to be made electronically by Bank Transfer,
Zelle, CashApp.

Let me know your most preferable method of payment so i can have our
details sent to you for the balance payment.

~ Rosanna ~

So upon arrival, I ensured their single PC machine was no longer compromised and forced both major password changes and enabled 2-factor authentication on Microsoft and Google accounts. That was on Friday and on Monday my customer reported their email was still compromised.

What I didn't know was sad. Anyone with an EXISTING open session to Outlook.Com will remain authenticated UNTIL THEIR device closes the session!

After some Google Fu I find the only option other than abandoning the email account is to navigate to user's Microsoft Account profile online and then drill into Security, then Advanced Security and find the option to "Sign Me Out". For some reason they claim it can take 24 hours to be effective!

I guess I haven't had to respond to enough hackers to be good at this stuff! Hopefully I've put the horse back in the barn for them.

 

[britechguy]

Be aware that this applies to Google, too. It's not just Microsoft.

If you're logged in to a Google Account and go to the Security Pane, Your Devices section, and then open Manage All Devices it will show every device currently logged in to that account and (roughly) from where. You can force logout from there. Here's what it looks like for one of my Android phones:



If you hit the "Don't recognize something?" control it will suggest immediately logging out that device to secure your account.

 

[SAFCasper]

Something else to check is application permissions. It's becoming more common for hackers to consent application permissions on their own malicious app. These permissions remain even after password resets & MFA changes.

Odds are you have seen something like this before when setting up apps. Gmail has a similar thing (both OAuth 2.0 based).





You can check which applications have permissions at https://myapplications.microsoft.com/
Google has a similar page but I don't know the address.

If you are managing O365 tenants you should seriously consider restricting or entirely blocking user consent to applications. It's a huge security risk.

 

[timeshifter]

Consider yourself lucky that you still have access to the account. As I posted recently, I have a customer who lost access to her MS account. Hacker changed recovery email address. We're not getting back in. Luckily there wasn't much there and it wasn't their email account.

 

[Metanis]

Nearly a week later this is still going on. I've started tickets with Microsoft but their techs can't seem to get Level 2 involved to actually clear the active sessions which the Nigerian scammer opened weeks ago. What a cluster.

 

[Markverhyden]

Nearly a week later this is still going on. I've started tickets with Microsoft but their techs can't seem to get Level 2 involved to actually clear the active sessions which the Nigerian scammer opened weeks ago. What a cluster.

Are you sure they are from the actual account and not forged? Did you check to make sure all forwarding rules were cleared?

 

[Metanis]

Perhaps the final update to this saga?

Keep in mind this is for a PERSONAL Microsoft.com account, not a Business M365!

TLDR ... Create an alias email for the account, assign that new alias as the primary and ONLY account allowed to authenticate! Hope the hackers email sessions eventually time out!

1. I ran multiple antivirus scans using multiple products and ensured the machine was reported clean! I did this each and every time I visited the customer's site. I even purchased a Premium version of Malwarebytes although I think that was a waste of money because it never detected the things that Microsoft Defender found. This included creating a new local account on the machine and scanning from that account.

2. Changed password immediately and without showing the new password in plain text on the machine in case the hacker was actively monitoring via Remote Control malware.

3. Outlook.Com >> Settings >> Mail and checked each category for hacker invoked forwarding rules.

4. Outlook.Com >> Settings >> General >> Mobile Devices and deleted ALL of them. (This is important! A lot of hackers are using Android phones!)

5. Microsoft Account Dashboard >> Privacy >> Apps and Service Activity, and deleted a few questionable ones.

6. Microsoft Account Dashboard >> Security and enabled Two-step verification using a known good local customer phone.

7. Microsoft Account Dashboard >> Security >> Sign-in activity >> View my activity, and reviewed all sign-in activity. Upon flagging the questionable was prompted to change passwords again and again.

8. Microsoft Account Dashboard >> Security >> Advanced Security Options >> Get started, and reviewed all sign-in and verification options and deleted all the questionable items.

9. Microsoft Account Dashboard >> Security >> Advanced Security Options >> Sign Me Out, and tried to force disconnect any remote sign-ins. The problem being that even Microsoft reports this can take 24 hours!

10. *** Finally, Microsoft Level 1 support suggested I follow these steps to assign the account a new alias and then assign that alias as the primary and only option allowed to authenticate the account!
A. From the Microsoft Account page >> Your Info >> Edit Account Info >> Add Email alias.
B. Then make that newly created alias Primary!
C. Then Change Sign-In Preferences and remove all but the newly created Alias!
D. Then go back to Outlook.Com >> Settings >> Sync email and change the default "Send From" Address back to the original. At this point
the hacker will have Zero idea what account to use to authenticate to the email and the original address will report that it doesn't exist!

I went through most of these steps multiple times and not in the order presented. On the final trip we discovered through one of my customer's customers that the hackers were using a spoofed email account to try and keep phishing. I mean that the original email address for my customer was T A N I S H E D S @outlook.com and the hackers created a new account and were using it to continue trying to extort money. The new account they created was T A N N I S H E D S @outlook.com. Notice the extra "N".

Also, on my final trip yesterday I helped my customer craft an email template they could use to notify their legitimate customers of the email hack and the spoofed address.

Although Microsoft has some good web documentation on this issue, I couldn't find any comprehensive procedure that detailed all the different settings and steps. If you know of things, I missed please add it to this thread!

 

[Markverhyden]

"I mean that the original email address for my customer was T A N I S H E D S @outlook.com and the hackers created a new account and were using it to continue trying to extort money. The new account they created was T A N N I S H E D S @outlook.com. Notice the extra "N"."

A similar thing happen a couple weeks back. Except in this case someone had actually bought a domain that was similar. The proper name was fullcompanyname.com but they bought fulcompnam.us. I'm sure they used a stolen CC but I still let the registrar and host know. They had built a website with the forged MS login page to harvest creds.

 

[Sky-Knight]

I'm just glad you got the mailbox back, that's a HUGE deal. Even if the baddies are still in it, having control of it at all is this stage is a massive effort, good work!

And there is a button in the security section of the account to sign everyone out, but I've seen more than a few reports that it doesn't work. You're stuck waiting 60 days I think for the previous authorization token to reset to ensure the baddies are out entirely. It might be 30 days... this is data I'm inferring based on past experience, to my knowledge it's not documented anywhere.