[Sharing] Someone try to hack into my Microsoft account and how I reacted

This is my first time being an OP on PG forum, I apologise if I haven’t get formatting right.

So, everything started with an online application.

This morning, I was trying to make an application online, and I needed some information that I stored in my Microsoft Account years ago (I know it’s bad in terms of privacy, back in the days, I use exclusivly MS, never really used big G).

When I tried to login, Microsoft prompted a message saying my account was disabled for too many failed login attempts. It instantly alarmed me as I have deprecated most Microsoft products since I migrated first to Skiff (unfortunately) in 2022 and then Proton (after Skiff’s buyout announcement in Feb 2024), and I haven’t loged in for months.

Most services I originally registered with this MS account have already been migrated to alias services. I stopped using my MS email address to register new services since Mozilla launched Firefox Relay, through all emails were relayed back to Outlook.

I have a unique, 120+ entropy password (stored in offline password Manager) and 2FA (also stored offline), so I don’t expect anyone could really break in. I started to recover my account by entering my recovery email address, account recovered in just a moment. and then I hopped into account security page to check sign-in activities,Here’s what I see:


I am not sure if there’s any attempt before Jun 6, seems that page is not showing full log but doesn’t really matter.

As the attempts were from different countries, I am pretty sure it is not someone typed their email address wrong, but instead someone (or group) trying to break into my account, and they only know my email address.

Then I went to HIBP to check if the address was leaked in any known breach, found nothing. Sure it doesn’t mean it can’t be leaked as HIBP doesn’t know all the breaches, but it reminded me of something.

Since I expect the adversery would continue to try breaking into my account, I did the below things:-

  1. Reset Password (Unique, 160+ entropy)
  2. Checked all loged in devices / apps / services, make sure nothing suspicious / non-essential.
  3. Here’s what I rarely see anyone / website / companies (even anti-virus compies like AVG and Kespersky). I ADDED A NEW ALIAS TO MY ACCOUNT, SET IT AS PRIMARY AND DISABLED MY ORIGINAL ADDRESS AS SIGN-IN ADDRESS. Here’s how to do it:-
    a) Log into your MS account, mose over the top right corner and click “My Microsoft Account”
    b) Open “Your Info” tab, expand “Account Info” card and click “Edit account info”
    c) Click add email, and then create a new address.
    d) Go back to “Edit account info”, you will see “Make Primary” next to your newly created email address, Click “Make Primary”
    e) On the same page, click “Change sign-in preference”
    f) You will see your newly created address is now enabled as it is now “Primary alias”, but you still see your original address is checked, uncheck it and save.
    g) DONE.

Now you can sign out and sign in again and try. If you have set it correctly, when you try to log in using the original address, you will see this message.

By doing this, the adversery will no longer be able to break into your account by brute forcing passowrd (which prompts MS to disable your account).

It might be pretty well known, but I still think it worths sharing as I don’t see such recommendation when googling.

6 Likes

Extremely helpful information. Thank you.

1 Like

Good advice about the alias, but changing the password is unnecessary. If you previously used a password that you created with your password manager, and you have no reason to believe that the password has been compromised, there is no good reason to change it.

As for entropy, even 80 bits would be perfectly sufficient, and there is not much reason to go beyond that.

1 Like

True, changing password seems unnecessary as the only ways that got my password compromised would be

a) Adversery got access to my password manager keyfile somehow, and able to crack my 160+ entropy password based on UTF-8 characters, or
b) Adversery somehow installed malware to my devices and gained access to my whole system

Both seems to be

  1. Highly targeted
  2. Rely on advanced techniques for remote access involving tricking me to download and open malicious files / links, or compromising the network(s) that I access to.

While I cannot rule out 1. for some reason, 2. is extremely unlikely due to several precautionary measures I blended into my daily life and device / network setup.

Still I did it as a habbit, just like washing hands everytime you enter and exit hospitals.

Regarding password entropy, it’s being remembered by Password Manager anyways, so why not make it as strong as possible, just the same effort (generating using the password manager). :rofl:

1 Like

my understanding is that microsoft is just showing failed logins and all accounts are always being bruteforced by bots

ms own support page says to not worry if you have a strong password & 2fa

no one was targeting you

1 Like

I diagree this part, I owned this MS account for 15+ years, this is the first time someone trying to brute force it.

I have other MS accounts in similar username that serve other purposes, those account never have such issue.

I have friends only use 1 MS account for basically everything, they dont have such issue.

Considering the exposure of the concerned account and other factor I dont want to share, I cannot rule out such possibility.

Because:

  1. There is no practical security benefit for going beyond 80 bits.
  2. The longer the password, the more likely the site will have a problem with it.
  3. You won’t hate yourself if you ever have to type it manually.
1 Like

I skimread through your post, but if you’re worried someone is trying to hack your account because you’re seeing unsuccessful sign in attempts from all over the world - it’s true, you along with nearly every other microsoft account. Your email was exposed in a breach at some point and hackers are randomly targeting users whose emails have surfaced on the dark web. They’re not targeting you specifically. This is a very common thing I see on reddit. It happened to me. As long as you’re using 2FA and a strong password, you’re fine. Though I’d recommend deleting the account altogether if you don’t need it, and I don’t think there’s any reason to have a microsoft account these days.

You might also find some sync attempts using IMAP, Same deal as above, just ignore it.