'exchange ActiveSync' being used by Hackers to Harvest other Victims & Hold Control of MS Email, Calendar, Contact-After MS Notification of a Potential Compromise

Question

I would like to ask the Virus-Malware community: if it is aware of a somewhat recent expanded 'MS compromise' to Users MS Email account Folders, by hackers that have acquired a users acct login info.

Using exchange ActiveSync (pls see) - https://answers.microsoft.com/en-us/outlook_com/forum/all/inexcusable-security-risk-of-using-microsoft/5b1ee3b8-9b7d-46c4-bc46-889e87e5bc07

Even if a user is able to detect their Acct is compromised, there is nothing a user can do to stop the hacker from creating havoc while they harvesting all email correspondences, & begin various scam attempts on all From/To recipients for an extended time from a MS users email Acct (non-spoofed) ... There is no way to cut contact to all connections, within the MS Acct online; even after turning on 2FA, or setting up the MS Authentication app..

The MS Account Online- Security- Sign in Activity... - shows an initial compromise, then the account being added to a suspicious exchange ActiveSync--- AT THIS POINT- the end user is helpless to have any control of their email acct ... including user bank verifications, etc.... for at least 24 hrs...

MS O365 business has a way to address this with a caveat of it taking an hour. (REALLY!! why not immediate).

Is there a way to kill ALL access to everything after changing the password and setting 2FA (2-Factor Authentication), immediately? .. (note Billions of Passwords have been compromised recently).

Is there a way to contact a Microsoft Engineer to address this?

Answer 1

Hi, I have had the same issue with my elderly mother. She clicked on an unsolicited link 2 days ago, and several hours later people from Nigeria had successfully got into her email account and switched on 'Auto-sync'

Looking at all of the responses, it seems like no-one understands the issue at hand, but I was able to locate where the syncing device location is, disconnect the device, and wipe its history.

Without doing this first, any email address password changes, recovery code generation or 2-step authentication will do nothing

It is really simple. Just do the following steps:

Issue - Your account was successfully signed into by a unknown party and you see 'Auto-sync' successful in your MS Account 'activity history'

Solution-

To remove the sync mobile device:

1. Go to Outlook settings (not MS Account). This is the cog by your User login/out (top-right hand corner of outlook
2. At the bottom of the list, click on 'show more settings' or something similar
3. When the popup appears, down the left-hand side, select 'General settings'
4. Under General settings, you should see 'Mobile Devices'
5. The mobile device that is synced to your account by the hacker should appear here. There are some options available rather than just 'delete' the sync. Firstly, make sure you hit 'wipe device' before you delete the syncing. :)

Now that their mobile device is not synced, do the following:

1. Under your MS Account in the 'Security' section, change your password
2. Under advanced security options box, 2-step authentication
3. Remember to hit 'Recovery Code' in this page as well.. This generates a brand new 25 digit and more importantly deletes the use of any previously generated code. If a hacker had your account, chances are, they got a recovery code in case you changed all passwords etc
4. Finally, hit the 'Sign me out' button under the advanced security section. This will force close your account in case it is open anywhere else (takes 24hrs but should be ok since you changed passwords, recovery code and removed synced device)

I hope that this helps everyone :)

Answer 2

"Glad that worked Monkey57"-- It really did not do anything to resolve the initial compromise (changing the password started the process to regain control of the victims acct email, but it took 24 hrs (while the hacker did what they wanted with the victims email account), but what it did tell me is the MS activity log "See when and where you've used your account" missed one of the hackers connections, as 'Outlook-settings-mobile devices' showed 2 (two) successfully syncs (being maintained for 24 hrs after password change etc), and MS activity log only showed 1 (one), another thing that caught me as odd was the number of folders synced 0/1, when I know the hacker was deleting content in multiple Outlook Mail Folders for 24 hours, after the account was secured..

Note: The hacker knows when their victim has started to attempt to regain control of their email, and their 24 hr clock has begun (it's usually when the more nasty stuff is done by the hacker (deleting contacts, emails, etc);  although more serious compromises/damage may have already been done.

Answer 3

Glad that worked Monkey57, I noticed it was difficult to determine which Mobile Device connection relates to which precise email client, since I've had something like 8 or 9, one of which is an old phone I hadn't gotten around to deleting until your threads made me look closely.

I agree the time factor and other details you've described are a wakeup call that 2FA is really necessary, with my main concern that the process is not only confusing even for knowledgeable people like me, but even potentially dangerous in terms of loss of account access if you don't perform additional steps such as preserving the Recovery Code in a safe place you can be certain to find it if needed.

I think this realization indicates that not only does Microsoft need to pressure their customers into using 2FA, but also that they need to make this process more coherent, creating a flow leading a non-technical customer through a series of steps that aid in setting up not just 2FA, but also the additional items required to regain control in critical situations like the loss of a device or a successful attack similar to those you've experienced.

In the least they need to make customers aware that these potential risks exist in order to help them realize the importance of 2FA and the true reason it's needed.  As I mentioned, even someone with my long history in computer systems management and security didn't recognize some of the potential pitfalls, especially those relating to account recovery in extreme situations.

Rob

Answer 4

Monkey57,

I'm not familiar with the Office/Microsoft 365 management since I never worked in that environment, but I believe this would operate similarly to that found in Outlook.com where the ActiveSync component is simply an extension of the Mobile device operation and management.

Searching finds this, though it may vary for different variants of the 365 environment as it has evolved and been given newer naming.

Manage devices enrolled in Mobile Device Management in Microsoft 365 - Microsoft 365 admin | Microsoft Docs

Reviewing your other thread I noticed lots od discussion regarding accounts, email folders and access, but nothing regarding the devices themselves.  From my understanding, ActiveSync is merely a form of mobile device access, so true control of these should be within this section and have nothing to do with the apps or authentication, which operate within the device's  operating system environment.

In my case using Outlook.com, I can see several devices some of which duplicate the same physical device using either the direct ActiveSync, EAS (Exchange ActiveSync) or other older naming for the various methods used by different mobile clients to support access to the Outlook servers.  Figuring out which were which was as easy as viewing first and last client access date/time and other attributes like the native device operating system.

I'd assume these rogue Active Sync devices would appear different than others and be similarly able to be at least deleted, if not wiped before deletion, which is likely how the malicious actors are controlling those devices belonging to the proper original account and device owner.

Rob

Answer 5

Thank you Rob-

The initial compromise from a weird location, and the MS personal email account being added to a suspicious exchange ActiveSync (on same subnet as 'weird location', but different ip)- do not show in "Devices"..