Strange happenings with my MS account

glasskuter · Jun 4, 2023

Something weird has been going on with my MS account. I keep getting emails(every day) about unusual signin activity, each one identical saying that my MS account had been used from Moscow Russia asking me to click on a link to verify my account.(I never click on the link) A flag that they weren't legit from MS was Outlook was putting them into my junk mail. When I looked at the source code, there were erroneous entries indicating the emails were definitely spam. One of the flags was the use of the words "macrosoft" rather than microsoft.

To be sure, I checked my MS account and no one had logged into it from any location except from my ip address and location. No mention of Russia at all. After all that and having a 15 digit password so difficult I even have a hard time remembering it (security.or said it would take 100 million years to crack), I chalked it up to a MS phishing scam I read about on the net.

Today, I got an email from Onedrive in my inbox, not junk, saying one of my files in onedrive had been changed by some character named Leandro Nogueira. Sure enough, I had a file by that name in onedrive that I had never shared with anyone. I know because I can count on one hand how many files I've shared a link to and they've all been right here on this forum; all read only.The crazy thing is the file that was changed is nothing more than a list of the drivers on my computer. Nothing sensitive about it at all. Again I checked my MS account. No record of anyone logging in at that time.

I immediately changed my MS password to a 20 digit one this time. (The damn thing is now so complicated it says it will take 16 trillion years to crack it)

Has anyone else ever gotten caught up in something like this?

Ghot · Jun 4, 2023

I don't know the solution or facts surrounding your post.

However, I don't trust those password testing sites.
Especially not if you use the exact password that you tested somewhere.
Just a thought.

Bree · Jun 4, 2023

glasskuter said:
Has anyone else ever gotten caught up in something like this?

No, nothing like that for me. But besides my password they'd also have to get past my two factor authentication. Have you got 2FA turned on?

glasskuter · Jun 4, 2023

Bree said:
Have you got 2FA turned on?

yes but I also have a secondary recovery method which is an alternate microsoft email address

Ghot said:
I don't trust those password testing sites

Neither do I. When I test I always swap around a few digits. But as difficult as my passwords are, common sense tells me it would take a hell of a cracker to break them.

I do not think this incident has anything to do with the MS phishing scam. That particular scam has been floating around for several years now. The contents of the message within the phishing emails is always exactly the same.

What throws me is this file that was altered today was not shared so that person would have had to directly login to my MS account to get to onedrive to alter it, yet MS showed no one logged in from anywhere else. So this leads me to not trust the accuracy of the login locations I see in my MS account....unless somehow my ip address is being phished as well.

OAT · Jun 4, 2023

glasskuter said:
What throws me is this file that was altered today was not shared so that person would have had to directly login to my MS account to get to onedrive to alter it, yet MS showed no one logged in from anywhere else. So this leads me to not trust the accuracy of the login locations I see in my MS account....unless somehow my ip address is being phished as well.

Yes, this is puzzling.
I would try to get a support ticket going with MS on this one if it's at all possible.
Needless to say, the Hub would be of no use.

TraderGary · Jun 4, 2023

glasskuter said:
Has anyone else ever gotten caught up in something like this?

Ouch! I've never had anything like this. I have great respect for your expertise and will be following this thread.

wabbit · Jun 4, 2023

I was getting the scam emails about unusual activity on my MS account daily for about a week or so. Seems like i get those scam emails upon unsuccessful login attempts to my account. The daily scam emails stopped a week ago. I use 2FA and change my password regularly. I still check for unsuccessful login attempts and everything seems to be fine for now.

Marcus Vinicus · Jun 4, 2023

This thread is a timely reminder to check my MS Account.

Mine is setup as password less with authentication either via facial recognition, using my phone with either MS Authenticator app or SMS.

There have been some attempts recently by cyber criminals but all have failed.

han jansen · Jun 4, 2023

Hello Marcus Vinicus,

Where do exactly do you find this info?

Ciao, Han

Marcus Vinicus · Jun 4, 2023

Sign in to your MS Account
Click Security on the blue bar at the top of the page
Click Sign-in activity

han jansen · Jun 4, 2023

Duh, was on the page and completely over saw it.
It's late here.
Thanks anyway.
Ciao, Han

TechnoMage2021 · Jun 4, 2023

I've never had any such problem, possibly because I stay as far away from the Cloud and anything that says Microsoft on it, as possible. I do run Windows, and that ends my association with MS, if you can really call that an association. I don't!

I do feel for you, Glasskuter, but I'm totally unable to help. I hope you can get it all fingered out.

Cheers!
TM

Bree · Jun 4, 2023

Marcus Vinicus said:
This thread is a timely reminder to check my MS Account.

Mine is setup as password less with authentication either via facial recognition, using my phone with either MS Authenticator app or SMS.

There have been some attempts recently by cyber criminals but all have failed.

Makes you wonder how the cyber criminals got hold of your account name. All my PCs have local accounts. I don't sign in to any of my PCs with my MS account, just use it separately for OneDrive, the Store, etc

Add Microsoft account to Local account for Hybrid account in Windows 11 Tutorial

A Microsoft account (MSA) is a good choice if a user wants to use the same account on multiple devices, or wants to make it easy to use all / any Microsoft services. Setting up a preinstalled Windows 10 on a new device, after a clean install, or creating a new user on existing Windows...

www.elevenforum.com

. It has a password and 2FA. Seems I've kept mine of their radar, all these sign-ins were me.

Marcus Vinicus · Jun 4, 2023

Bree said:
Makes you wonder how the cyber criminals got hold of your account name. All my PCs have local accounts. I don't sign in to any of my PCs with my MS account, just use it separately for OneDrive, the Store, etc

All the hacking attempts were done using the wrong email address. That is my Gmail address which isn't linked to my MS Account as the login.

Ghot · Jun 4, 2023

glasskuter said:
What throws me is this file that was altered today was not shared so that person would have had to directly login to my MS account to get to onedrive to alter it, yet MS showed no one logged in from anywhere else. So this leads me to not trust the accuracy of the login locations I see in my MS account....unless somehow my ip address is being phished as well.

MS account is not much fun,
Something wicked this way comes.

Second line stolen from... Ray Bradbury book title.

https://www.amazon.com/Something-Wicked-This-Way-Comes/dp/0380729407

flashh4 · Jun 4, 2023

@glasskuter, i have been getting them for about 6 months, i just delete them ! Because i know they are just wanting me to click their link ..... not gonna happen ! Next time i get one i will copy it here !

TraderGary · Jun 4, 2023

The phishing emails then are just that. Your Microsoft Account was never breached. All they want is for you to click on their link.

milkturnipsbage · Jun 5, 2023

Very strange indeed. Did you verify the time the drivers list was last changed?

Also, have you checked the devices list where your MS acount is currently in use?

Alex__ASSR · Jun 5, 2023

that's what I did.
Microsoft account > security > sign-in activity and check the places you've signed in.
mark as safe places if you recognize them and that's it.

glasskuter · Jun 5, 2023

TraderGary said:
Your Microsoft Account was never breached.

I can't say whether it was or wasn't. I just know something is fishy. This is totally separate from the phishing emails. The email today said the file was changed today by this Leandro Nogueira person and sure enough, when I went to onedrive on the web, there was a valid file there by that name showing it had been altered this morning with his name by it. It was not a shared file and was useless to anyone but me. So the only way it could have been altered was for someone signed in as me to alter it. But if that be the case, why was this Leandro Nogueira person's name listed being the one who altered it. It makes no sense to me how this could have happened.I 've reported it to Onedrive support to see if there's an explanation.

Gary, you know I'm not a big onedrive user. I use the vault for a few important files and I have a list of passwords in there. I've dropped a few files into onedrive documents to use on the go. 3 or 4 times I've shared a file here on this forum. Other than that there's so little in my onedrive so I'm not too concerned about the files and I'm pretty confident the vault wasn't breached. I didn't get 2FA on my phone. What concerns me is the possibility that someone has access to my MS account. That email account is my user name for just about every other account I have. Every one of my finances and health related accounts. Of course now I've changed the password and am in the process of changing a bunch of other passwords for important accounts that have that email tied to them.
Oh well, I'll probably never know the how and why of it.

Yeahoww said:
Did you verify the time the drivers list was last changed?

Also, have you checked the devices list where your MS acount is currently in use?

Yes and yes.