Today I was reviewing my activity on my Microsoft email account, something I’d never really bothered with before, at least not in years. I was surprised to see I was having well over a dozen unsuccessful attempts at opening my email account, from every continent on earth (save Antarctica, at least so far).
My queries to Microsoft about this returned bland assurances that all these bogus attempts had been foiled and I had nothing to worry about, but then they did try to sell me Microsoft 365 for added security. Since I’ve taken the other standard free precautions like two step confirmations, complex random passwords etc, I thus far have declined to pay for more protection.
So is this typical? For Microsoft, for other account providers? Are all email accounts now under continuous attack by AI driven engines? Is it a big deal, or just background noise?
I wouldn’t say all. But any account where there’s some kind of discrete user identity in a larger dataset of compromised accounts and/or passwords? Yeah, absolutely, those will be targeted by frequent automated penetration attempts.
(Basically, the bad guys know people reuse passwords. That’s why they try to break into totally innocuous repositories like, say, cat-fancy message boards. If they can get those passwords, then a meaningful subset of those passwords will be valid on, say, the banking profile associated with the same email. Extrapolate this to the entire internet. Thus, those emails where there’s a fractional chance of success get bombarded with experimental attacks, over and above any emails that are not so associated.)
I would say the fact that it’s background noise should be a big deal. We’re all way too complacent about this stuff. But that’s just an opinion.
Maybe check haveibeenpwned.com. If one of your credentials from another site was leaked, it’s very likely bots will try that password against other sites.
If you have a good password and 2fa, I wouldn’t worry about it. The internet is roughly half bot traffic these days (according to various reports).
Thanks for the info. Fortunately I’m a late adaptor and didn’t use bank numbers or credit cards online until rather recently, and all the breaches I could find via the above website were from over 5 years ago, and no fishy financial/credit transactions have turned up.
Coincidentally, or not, I’ve gotten several “here is the code you requested” from Microsoft over the past few days. I’ve never had this happen before regarding my MS account. Instagram, constantly.
Note that 2FA is considered security theater at best, and a gaping security hole at worst. It should not be touted as an extra security feature.
Re: The OP. I’ve been getting on average one alert per day for a requested change of password. Checking the source of the request it’s almost always from Russia. It is shocking that companies aren’t preventing such requests from even being made. And there is no way to report it as bogus, block attempts from coming from other countries, etc. And, of course, blocking login attempts from such places should be a recommended setting but they don’t even have such a setting at all. A complete lack of interest in helping users secure their accounts.
I do not think that is the case. There can certainly be bad 2FA, or less secure (SMS) and more secure (TOTP) methods, but 2FA in general is excellent at stopping unauthorized access.
It is not bullet proof, “what is your code?”, is a powerful social engineering attack against many forms of 2FA. Man-in-the-middle can also be used to overcome some forms of 2FA (you’re entering your login details and 2FA at a fake site). However, it is not anything like useless, aka security theater.
2FA requests when you did not attempt to login are an indication that it is working. Your password was acquired, but the attacker is unable to gain access, unless you click “accept” in your app, or send them the code.
Password request changes are unrelated to 2FA. Those just indicate that the attacker knows your username/email. They do show why maintaining security on your email account is so important. It’s also possible the password change emails themselves are phishing attempts. “Enter your old and new password on my fake site.”
As to the OP, yeah, any computer that is directly addressable on the internet, be it a Microsoft cluster managing Outlook logins, or some random home PC running SSH, is going to receive many, many login attempts. Just today (and it is only 10am right now), I’ve had 1136 failed attempts to login to my computer. It’s just background noise.
IT guy here. When we get new hires, during their orientation, I let them know that as soon as they update their linkedin or other professional services sites with their new e-mail, they will get a huge uptick in spam and account attacks. Bots watch for changes, and then go after them when they are new and vulnerable.
If you’ve recently signed up for a service, or a newsletter, or registered on a website, it can certainly result in these new attacks on your account.