Can't disconnect hacker from Outlook.com account - connected using Active Exchange

[carmen617]

Client fell for a phish and hacker logged onto his outlook.com email to scam his contacts. By the time I was called in to help the client had already changed his password. I logged into outlook.com and found filters redirecting any mail to an archive folder, showed it to client, deleted the filters. No forwarding address had been created, and no auto response was set up. We went into client's Microsoft security settings and saw that his account had been logged into from Nigeria, twice using Chrome and once using Active Exchange. I had him change the password again, and we enabled 2FA.

Client is getting his own email on Outlook 2010 using Active Exchange and I noticed that we did not have to update his password in Outlook 2010 - mail kept flowing. Even after two password changes and enabling 2FA. While I was working on his system we saw a new sent email from the hacker, to one of the client's contacts, assuring him that the email was legit and this retired college professor needed his friend to send him a gift card. Also while I was working on the client's system, we saw the archive folder get moved to the trash, and then saw the trash get emptied. Hacker clearly still has access to this email account after 2 password changes and 2FA being turned on, and that has to be via Exchange.

Microsoft offers a way to "sign out of all trusted devices" but that didn't end my client's access to his email on Outlook 2010, and it doesn't seem to have ended the hacker's access either. I am out of ideas - Microsoft doesn't offer any way to end all active sessions, period. I actually advised my client to call Microsoft and tell them that he changed password multiple times and enacted 2FA and both his Outlook 2010 and the hacker's Active Exchange access have not been interrupted. Anybody have any idea what else we can do here?

 

[Sky-Knight]

First... Outlook 2010 is a nightmare and needs to die in a fire. Support is dead, upgrade it.

2nd, 2FA for the primary login doesn't deal with app passwords. In that security tab you used to configure 2FA scroll down, the app passwords all need removed. Since Outlook 2010 isn't ADAL capable, it simply will not work anymore after that. If you want to make it work again you'll have to turn that app password back on.

But there's the rub... because that password can and will be stolen right out of his local likely hacked copy of Outlook, and used by your Nigerian Prince to access the account again.

App Passwords are bad... and must never be used if at all possible. Outlook needs upgraded to something that support ADAL and MFA login.

So zap the app passwords, and hit that sign me out of everywhere button again.

Heck the bad guys try to get into my account more than I do!


But you can't have a track record this clean with app passwords, and again Outlook 2010 will not work without app passwords.

It's 2021, MFA ALL the things, and stop taking short cuts.

 

[carmen617]

I know Outlook 2010 is dead and bad, we are upgrading it in an on-site next week (this was an emergency remote). He didn't have 2FA on until I came along - no app passwords have actually been set up, because the only thing that would need one is his Outlook 2010. So he gave away old password in a phish, but changing password isn't kicking Nigeria out of contention.

Microsoft doesn't seem to have a way to disconnect all active log ins. Now up to 3 password changes and 2FA turned on and his Outlook 2010 is STILL sending and receiving mails with no new credentials needed. If the client's own Outlook 2010 doesn't need new credentials after 3 password changes and 2FA being turned on, how the hell do I get Nigeria logged out of HIS Outlook 2010?

 

[callthatgirl]

The guy in Nigeria probably has it setup through Thunderbird or another email client, so it would not kick him out until he closed the app or rebooted and he knows better to do that. Free outlook.com doesn't give you much in terms of shutting down so I am honestly speechless on this one. Not sure how to even help lol.

 

[carmen617]

The guy in Nigeria probably has it setup through Thunderbird or another email client, so it would not kick him out until he closed the app or rebooted and he knows better to do that. Free outlook.com doesn't give you much in terms of shutting down so I am honestly speechless on this one. Not sure how to even help lol.

That's what it looks like to me too. Free account or not, how can Microsoft not offer a way to sign out of all applications? This is actually something they need to address, just now sure how to get them to address it.

 

[callthatgirl]

Ah, they won't, they love riding the crazy train. The free accounts are better than they used to be, but that's my upsell to get a business account and get off the free stuff. Have you talked to the client about that? Even if they are a home user, it's worth it for the security. But now you got me wondering about Thunderbird and eMClient's security with business accounts and signing out. I will test that tomorrow.

 

[carmen617]

Ah, they won't, they love riding the crazy train. The free accounts are better than they used to be, but that's my upsell to get a business account and get off the free stuff. Have you talked to the client about that? Even if they are a home user, it's worth it for the security. But now you got me wondering about Thunderbird and eMClient's security with business accounts and signing out. I will test that tomorrow.

It's just nuts. Apple and Google show you everywhere you are signed in and allow you to sign out of all sessions. You would think Microsoft would have that capability too - they are not Yahoo or AOL or Comcast, they are freaking MICROSOFT. I am thinking of composing a few well worded emails to some nationally followed tech columnists and seeing if someone will pick it up as a story.

 

[callthatgirl]

Add in the hijacking of their data to OneDrive without telling them. I'm waiting for the day all the lawyers lawyer up and do a class action against MS for that crap.

Microsoft uses everything as a funnel to buy MS365. I'm retiring, I started a 2nd business and am moving out of this nightmare. Besides the issues you are seeing with this client, I see 10x more with the jumblefffuck I see out there. I'm not going to be an account manager, no way.

 

[Sky-Knight]

Sign in to your Microsoft account

account.live.com

Scroll down, click the remove all trusted devices associated with my account button.

Make sure you have a 2FA recovery code ready.

 

[NJW]

... setup through Thunderbird or another email client, so it would not kick him out until he closed the app or rebooted ...

I know very little about the inner workings of MS's email services, but I don't think Thunderbird can work like that. It doesn't maintain a connection to the server and needs current login credentials for every send action and POP collection/IMAP poll. AFAIK, emClient is the same.

no app passwords have actually been set up, because the only thing that would need one is his Outlook 2010.

Maybe not set up by the mail owner (or you), but have you checked that the hacker hasn't done so?

 

[carmen617]

Sign in to your Microsoft account

account.live.com

Scroll down, click the remove all trusted devices associated with my account button.

Make sure you have a 2FA recovery code ready.

Has been done, didn't do the trick.

 

[carmen617]

I know very little about the inner workings of MS's email services, but I don't think Thunderbird can work like that. It doesn't maintain a connection to the server and needs current login credentials for every send action and POP collection/IMAP poll. AFAIK, emClient is the same.

Maybe not set up by the mail owner (or you), but have you checked that the hacker hasn't done so?

2FA wasn't in place before I had access to the account. We turned it on together.

 

[YeOldeStonecat]

Run the standard steps to secure the tenant.
Enable modern auth
Make sure IMAP is DISabled. There are exploits against IMAP which bypass MFA...so...even if you have MFA turned on, the bad guys don't give a poop...they drill right in. Disable IMAP (and of course...obviously...prehistoric POP).

 

[callthatgirl]

I just logged into my outlook.com account and it shows that my PC is logged in but doesn't say what program and I can't kick myself out of it.

 

[Markverhyden]

Have you tried setting him up with the M$ Authenticator App And if it's not already been done sign out of Outlook 2010.

I just logged into my outlook.com account and it shows that my PC is logged in but doesn't say what program and I can't kick myself out of it.

Just saw the same with a test account I have. I'm sure at some point the client will have to re-autheticate. The question is how long.

 

[carmen617]

I just logged into my outlook.com account and it shows that my PC is logged in but doesn't say what program and I can't kick myself out of it.

I know, crazy huh?

 

[carmen617]

Have you tried setting him up with the M$ Authenticator App And if it's not already been done sign out of Outlook 2010.


Just saw the same with a test account I have. I'm sure at some point the client will have to re-autheticate. The question is how long.

That's a job for my on-site appointment scheduled on Tuesday. He's an older retired guy, and just too hard to try to deal with setting up the Authenticator app remotely. So on Tuesday we upgrade to Office 365, get Authenticator going, and see if there's any other way to harden his defenses. By then we should know if Nigeria is still connected, I have read a few threads that say eventually Exchange will demand new credentials so hoping by Tuesday that will have happened.

What's really maddening is that Microsoft flagged the Nigeria log ins as suspicious and asked if they were legit, but didn't offer any way to disconnect them beyond changing the password.

 

[callthatgirl]

It is maddening lol

 

[Markverhyden]

but didn't offer any way to disconnect them beyond changing the password.

"I understand your frustration sir. But if you had subscribed to the Microsoft 365 service you would have had all the advanced security features" Advanced means typical features that most other free email services offer.

 

[Sky-Knight]

I've done this before, and it's worked for me. But yeah I can't boot myself out now either.

Which sadly means Outlook.com isn't fit for use, and there's jack you can do. You cannot "secure" the tenant, you're sunk.

Time for him to get a new email address.

M365 side exchange will demand new credentials within an hour. I have no idea how long that takes on the free Outlook. But M365 also has a ton of places that work on a 48 hour cycle. So hopefully by the time the weekend passes it's as you hope and your Nigerian Prince is shown the boot.