Is my microsoft account blacklisted?

UncleEbenezer · #206203

wickham wrote:I opened the link in the microsoft email (a risk I don't like taking) and it just opened a login page and that went to a normal microsoft account page with no unusual message. Perhaps just logging in again is enough to satisfy microsoft that my email address is mine and that I can continue using the account without a problem.

You logged in. Someone now has your login details. Change them NOW, if you haven't already!

taylor20 · #206204

Indeed, the domain may be owned by Microsoft but it is part of their Azure service, where _anyone_ can host a static website (see https://www.bleepingcomputer.com/news/s ... microsoft/).

So for future reference _do not_ enter any details onto the website presented.

Infrasonic · #206212

Another point on the pwned site/passwords.

The real domino effect is when you re-use passwords across many websites or services or use other accounts like Facebook, Twitter et al to log in.

If you keep passwords unique to each site and service, make them difficult to brute force guess, then your maximum loss is one site that will need a password change in the event of a breach. AFAIK I've never had a password breach (tempting fate... :twisted:

). Use a zero knowledge password manager if needs be.

https://www.grc.com/haystack.htm

wickham · #206217

Infrasonic wrote:
wickham wrote:"

I opened the link in the microsoft email (a risk I don't like taking) and it just opened a login page and that went to a normal microsoft account page with no unusual message. Perhaps just logging in again is enough to satisfy microsoft that my email address is mine and that I can continue using the account without a problem.

Did you check the message source headers first?
Many phishing emails are cloned from the genuine article, and then link to a cloned website, so no matter how legit they look you should always look at the headers for clues first.
I've even had phishing emails that had 'from a known sender' DMARC validation style message headers at the top of the email.
When I checked the message source details it had failed some of the validation, confirming it wasn't legit.

Didds said that the url was a valid microsoft url, so I opened that and it showed a normal microsoft page.
I always check the email headers when I'm not sure; in this case there was no reply to address, just a from address from someone @hotmail.com and after didds comment I opened the webpage.

What does seem odd is that I usually use Outlook and haven't used outlook.com browser email for about nine months but two days ago I checked that it was still working, without opening or sending any emails. Could this have flagged up unusual activity at miscrosoft?

Infrasonic · #206223

So from the message source headers what were the DKIM, SPF and DMARC status' ?
If they all had =PASS then you should be OK.
If any have FAIL then that's a red flag.
If you get DKIM and SPF pass but nothing on DMARC it might have been sent from a non DMARC compliant source , so isn't necessarily something to panic about.

wickham · #206231

Authentication-Results: spf=pass (sender IP is 40.92.69.21)
smtp.mailfrom=hotmail.com; hotmail.com; dkim=pass (signature was verified)
header.d=hotmail.com;hotmail.com; dmarc=pass action=none
header.from=hotmail.com;
Received-SPF: Pass (protection.outlook.com: domain of hotmail.com designates
40.92.69.21 as permitted sender) receiver=protection.outlook.com;
client-ip=40.92.69.21; helo=EUR02-VE1-obe.outbound.protection.outlook.com;
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (40.92.69.21) by
SG2APC01FT038.mail.protection.outlook.com (10.152.251.98) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1643.15 via Frontend Transport; Wed, 6 Mar 2019 16:05:17 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:55ADFE14CCB13585347236DF9018BFC487923BFDCF30C09E01847B2EB4BCE4B2;UpperCasedChecksum:933A64FEA3B589FD183A6AFF4F25EEF31E64544429CFE8E65553C45818B5984C;SizeAsReceived:3949;Count:34
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=tM8exufFnCkMpgazW8Bm+1F89hGd+3n4+5sWKQ8mw5Y=;

Looks OK? sender IP 40.92.69.21 is Microsoft in Vienna!!

Infrasonic · #206249

Yeah looks good. You got all 3...

UncleEbenezer · #206255

But that's far from complete headers. All it (probably) tells you is that the phisher is a user of MS services. Which we already know: someone already identified the domain as hosting MS Azure users.

UncleEbenezer · #206257

wickham wrote:Looks OK? sender IP 40.92.69.21 is Microsoft in Vienna!!

What IP does your email come from?

No, don't tell me, just look it up. It'll identify as your ISP, or mail provider if different. It might identify as Microsoft if you're a user of their services.

Infrasonic · #206259

What does seem odd is that I usually use Outlook and haven't used outlook.com browser email for about nine months but two days ago I checked that it was still working, without opening or sending any emails. Could this have flagged up unusual activity at miscrosoft?

Most of the big webmail providers have 'unusual activity' or 'logged in from new device' alerts.
The PC I'm posting from is an occasional use one at someone else's house, so I had to clear a few security alerts when I first logged on to my various accounts on Saturday, despite having a Google Chrome logged in profile saved on that PC.

There's a Microsoft Authenticator app for mobiles that is quite handy for two factor authentication.
Android link here...https://play.google.com/store/apps/deta ... ator&hl=en
It can generate one off codes if there's no mobile signal too.

Infrasonic · #206263

UncleEbenezer wrote:But that's far from complete headers. All it (probably) tells you is that the phisher is a user of MS services. Which we already know: someone already identified the domain as hosting MS Azure users.

True.

There's a header analyzer here wickham, put the whole header into it, and pay attention to the 'blacklist' bit.
https://mxtoolbox.com/EmailHeaders.aspx

Slarti · #206283

wickham wrote:
I opened the link in the microsoft email (a risk I don't like taking) and it just opened a login page and that went to a normal microsoft account page with no unusual message. Perhaps just logging in again is enough to satisfy microsoft that my email address is mine and that I can continue using the account without a problem.

Now go to your normal login page in the normal way and change your password, ASAP as there is a strong possibility that you did not go to Microsoft, but to a dummy site set up to look like Microsoft!

Slarti

Infrasonic · #206291

taylor20 wrote:Indeed, the domain may be owned by Microsoft but it is part of their Azure service, where _anyone_ can host a static website (see https://www.bleepingcomputer.com/news/s ... microsoft/).

So for future reference _do not_ enter any details onto the website presented.

Some more examples here, including very convincing landing pages for well known services like Dropbox, OneDrive, Office365 and Docusign.
https://www.proofpoint.com/us/threat-in ... redentials

wickham · #206300

Infrasonic wrote:
UncleEbenezer wrote:But that's far from complete headers. All it (probably) tells you is that the phisher is a user of MS services. Which we already know: someone already identified the domain as hosting MS Azure users.

True.

There's a header analyzer here wickham, put the whole header into it, and pay attention to the 'blacklist' bit.
https://mxtoolbox.com/EmailHeaders.aspx

Delivery Information

Problem Icon DMARC Compliant
Ok Icon SPF Alignment
Ok Icon SPF Authenticated
Ok Icon DKIM Alignment
Problem Icon DKIM Authenticated

Blacklist section, all ticks except:

4 11 minutes EUR02-VE1-obe.outbound.protection.outlook.com 40.92.69.21 SG2APC01FT038.mail.protection.outlook.com 10.152.251.98 Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 3/6/2019 4:05:17 PM

I don't understand this extract, an 11 minute delay was certainly a long time, but I looked at the email several times and only opened the url link the following day (today).

wickham · #206303

Slarti wrote:
wickham wrote:Now go to your normal login page in the normal way and change your password, ASAP as there is a strong possibility that you did not go to Microsoft, but to a dummy site set up to look like Microsoft!
Slarti

I did that earlier today. Strangely, although I have to use the new password to open my tablet, Outlook still opens, receives and sends without any editing of the its password for the email account. Can it still be working on the old password?

didds · #206307

wickham wrote:[
Didds said that the url was a valid microsoft url, so I opened that and it showed a normal microsoft page.
I always check the email headers when I'm not sure; in this case there was no reply to address, just a from address from someone @hotmail.com and after didds comment I opened the webpage.

What does seem odd is that I usually use Outlook and haven't used outlook.com browser email for about nine months but two days ago I checked that it was still working, without opening or sending any emails. Could this have flagged up unusual activity at miscrosoft?

Well, its a valid MS domain anyway. somebody else was able to suggest that it maybe a MS domain that subdomains can be bought from and used for whatever4... I learned something new today too :-(

didds

wickham · #206310

didds wrote:Well, its a valid MS domain anyway. somebody else was able to suggest that it maybe a MS domain that subdomains can be bought from and used for whatever4... I learned something new today too

didds

I've learnt a lot from this thread too, like where to get a header analysed. I'm still not sure why my email account was blacklisted (only by four sites out of hundreds) but as long as it still works, that's fine. It does seem to me that the email was from Hotmail, but my account page makes no mention of a blacklisting problem.

Infrasonic · #206396

Infrasonic wrote:
taylor20 wrote:Indeed, the domain may be owned by Microsoft but it is part of their Azure service, where _anyone_ can host a static website (see https://www.bleepingcomputer.com/news/s ... microsoft/).

So for future reference _do not_ enter any details onto the website presented.

Some more examples here, including very convincing landing pages for well known services like Dropbox, OneDrive, Office365 and Docusign.
https://www.proofpoint.com/us/threat-in ... redentials

Some other recently observed phishing domains abusing Microsoft Azure blob hosting include:

Oct 14 2018 dropboxmarling951049.blob.core.windows[.]net
Oct 12 2018 cs7a779f8678a3dx443cxbf5.blob.core.windows[.]net
Oct 12 2018 onedrivedocument3.z13.web.core.windows[.]net
Oct 11 2018 krdas56-secondary.z19.web.core.windows[.]net
Oct 11 2018 excelouttravel858824.blob.core.windows[.]net
Oct 11 2018 onedrivemyliobatoid4.blob.core.windows[.]net
Oct 11 2018 onedrivemoton8532961.blob.core.windows[.]net
Oct 11 2018 godaddyreimplant9949.blob.core.windows[.]net
Oct 11 2018 onedrivedocs3.z13.web.core.windows[.]net
Oct 11 2018 onedrivedocument0.z13.web.core.windows[.]net
Oct 11 2018 onedrivebroadwayite7.blob.core.windows[.]net
Oct 10 2018 office365totalized87.blob.core.windows[.]net
Oct 10 2018 darkcloud.z13.web.core.windows[.]net
Oct 10 2018 ducosignsurahs721013.blob.core.windows[.]net
Oct 10 2018 dropboxsphingurus894.blob.core.windows[.]net
Oct 10 2018 adobeadvanceable4826.blob.core.windows[.]net
Oct 10 2018 onedriveexactas84338.blob.core.windows[.]net
Oct 9 2018 henricocountyassiste.blob.core.windows[.]net
Oct 9 2018 office365parasyphilo.blob.core.windows[.]net
Oct 9 2018 office365funguses335.blob.core.windows[.]net
Oct 9 2018 adobeinthralls778398.blob.core.windows[.]net
Oct 9 2018 onedrivenonalphabeti.blob.core.windows[.]net
Oct 9 2018 ducosignunkept514717.blob.core.windows[.]net
Oct 9 2018 onedriveunfragrant26.blob.core.windows[.]net
Oct 9 2018 onedrivesuiogothic82.blob.core.windows[.]net
Oct 9 2018 godaddybeautifier270.blob.core.windows[.]net
Oct 8 2018 dropboxovertalkative.blob.core.windows[.]net

Legit security/account email communication from MS would have an address like...
<account-security-noreply@accountprotection.microsoft.com>
<email@microsoft.microsoft.com>
<onedrive@email.microsoft.com>

I've put a free blacklist monitor on my main domain account via that MXToolbox site. I registered but used dummy info (00000000 for phone number et al) apart from the contact email address.

#206528

wickham wrote:
Infrasonic wrote:Does your email address get a positive hit here...https://haveibeenpwned.com/

"Oh no — pwned!

Pwned on 1 breached site and found no pastes (subscribe to search sensitive breaches)"

I have to pay to find out why.

No you don't have to pay. The Haveibeenpwned site simply notifies you of your email address(es) appear in any newly published breach list. There is no payment

The Lemon Fool

Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Re: Is my microsoft account blacklisted?

Who is online