Skip links

Outlook email users alerted to suspicious activity from Microsoft-owned IP address

Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts.

While an unusual sign-in activity email should always be treated with suspicion, the twist here is that the IP address at the root of the issue appears to originate within Microsoft itself.

The messages, according to users, also appear in the unusual activity section of the company’s email website, ruling out a phishing attack. Some confirm that an automatic sync has occurred.

Microsoft’s support forums are full of customers confused and a little concerned about the notifications, which look for all the world like either Microsoft or a miscreant with access to one of the company’s endpoints is seeking to access their mailbox. Users have wisely changed passwords, but still occasionally see a successful sync among the failed login attempts.

Even switching to two-factor authentication appears not to stop the “Unusual Activity.”

As with many email vendors, Microsoft fires off an Unusual Activity email or text message when it spots a sign-in attempt from a new location or device. Sometimes they can be completely legitimate; for example, logging into webmail from abroad, or adding a new mobile phone. Other times they can be an indicator of nefarious activity.

Sometimes Microsoft will up the ante and block the user’s sign-in to keep an account safe.

Register readers got in touch to complain about the situation, with one saying: “This has been ongoing for a couple of days now with both myself and my wife affected.”

Our reader went on to speculate that perhaps there were some bad actors using Azure (hence the Redmond IP addresses) to break into accounts or perhaps it was all just a blunder by one of Microsoft’s administrators. We asked the company to clarify, but days later it has yet to respond.

In the absence of an explanation from the Windows giant, The Register asked a tame IT specialist for his thoughts on what the problem might be. He joked: “Let’s start with observing that Microsoft deems ITSELF suspicious. I call that progress!”

He went on to suggest that, other than something being severely wrong in the single sign-on department, perhaps miscreants were reusing passwords from various disclosure lists “and possess a sufficiently deep streak of irony to use Azure for the breaches.”

Microsoft has been equally reticent on its own support forums with a smattering of comments from its employees sprinkled among the complaints suggesting a change of password, switching on two-factor authentication or simply signing out of one’s account on all devices.

Perhaps a solution if only one or two users were struggling, but the issue appears to be hitting a large number of customers.

One user noted: “Microsoft really needs to address this issue, at the very least to confirm that this ‘unusual sign-in activity’ (as they have detected themselves & urgently alerted their account users to) is either NOT an ‘Account intrusion/compromise’ situation and possibly just an MS internal system issue OR, if something more serious, what steps will need to be taken to resolve.”

We’d have to agree. The company’s relative silence on the matter is perhaps more worrying than the incident itself. If Microsoft responds with an explanation, we will update this piece accordingly.

Another user said: “I would like to know why a Microsoft-owned IP is syncing to my Microsoft account, why it is flagged as “suspicious”, and why was it able to successfully sync at least once before.” ®