Recovering from compromised Outlook.com email?
August 6, 2022 11:08 AM Subscribe
My father uses outlook.com (formerly hotmail) for email. Sometime on Thursday, his account was compromised. I don't use Hotmail and I'm not really familiar with how these intrusions tend to run, so seeking some help on how to advise him to recover.
Around mid-day on Thursday, my father stopped receiving email at his Hotmail.com address. A few hours later, he started getting calls from friends that they had received spam that appeared to be sent from his email address. I happened to call him today and he told me about this. I immediately got him into a TeamViewer session, and we determined that someone had accessed his Outlook account, added a forwarding rule, and set it to delete the forwarded messages. I deleted the forwarding rule. He's changed his password.
He's now getting tens of "undeliverable" postmaster messages as the threat actor goes through his scraped email, sending spoofed messages to every address he's ever interacted with.
My concerns:
1) In order to access his account settings and remove the forwarding rule, we had to go through SMS two-factor. How on earth did the intruder add a forwarding rule without authenticating? Does this imply that even after changing his password, we may have an ongoing intrusion?
2) At this point, is there anything he can do about the spoofed messages using his address?
3) My father claims that all his financial accounts require SMS auth. However, I feel very uncomfortable with an intruder having access to his entire email account + forwarded messages for 72 hours!? I guess if he can still log into the accounts his password probably hasn't been reset by the intruder, but then, somehow the intruder worked around SMS auth on Hotmail. Any advice here aside from "change all the passwords?"
I know he should use 2FA but he's in his mid-80s and probably not willing to learn that.
He's in the Apple ecosystem (an Intel Macbook Air running macOS 12 and an updated iPhone); I'm not sure if I should be advising him to nuke and reinstall his OS at this point.
Any advice? I generally run a pretty tight infosec ship at home, so parachuting into an incident this developed is pretty unnerving.
Around mid-day on Thursday, my father stopped receiving email at his Hotmail.com address. A few hours later, he started getting calls from friends that they had received spam that appeared to be sent from his email address. I happened to call him today and he told me about this. I immediately got him into a TeamViewer session, and we determined that someone had accessed his Outlook account, added a forwarding rule, and set it to delete the forwarded messages. I deleted the forwarding rule. He's changed his password.
He's now getting tens of "undeliverable" postmaster messages as the threat actor goes through his scraped email, sending spoofed messages to every address he's ever interacted with.
My concerns:
1) In order to access his account settings and remove the forwarding rule, we had to go through SMS two-factor. How on earth did the intruder add a forwarding rule without authenticating? Does this imply that even after changing his password, we may have an ongoing intrusion?
2) At this point, is there anything he can do about the spoofed messages using his address?
3) My father claims that all his financial accounts require SMS auth. However, I feel very uncomfortable with an intruder having access to his entire email account + forwarded messages for 72 hours!? I guess if he can still log into the accounts his password probably hasn't been reset by the intruder, but then, somehow the intruder worked around SMS auth on Hotmail. Any advice here aside from "change all the passwords?"
I know he should use 2FA but he's in his mid-80s and probably not willing to learn that.
He's in the Apple ecosystem (an Intel Macbook Air running macOS 12 and an updated iPhone); I'm not sure if I should be advising him to nuke and reinstall his OS at this point.
Any advice? I generally run a pretty tight infosec ship at home, so parachuting into an incident this developed is pretty unnerving.
Response by poster: I promise not to thread-sit, but I asked him to install TeamViewer for me to remote access and help sort this out -- I asked him to install it because I was having poor luck talking him through things over the phone. I'm almost certain he hasn't had it on this machine before (I had to talk him through enabling the screen sharing preference in System Prefs via a video call). I'll call back and ask him to uninstall it, thank you for the reminder!
posted by Alterscape at 12:24 PM on August 6, 2022
posted by Alterscape at 12:24 PM on August 6, 2022
Regarding how someone accessed the account, there's a good chance they didn't. The more common avenue for something like this is something that got into the computer where the account is set up in a mail client. I'd look for innocuous-seeming emails with attachments from around the time this started happening, although that might not have been the vector and it's possible to delete those emails if someone's being careful.
Rather than defeat passwords and multi-factor authentication externally, a simple script running on that computer can set up the forwarding rules using the mail client and its existing credentials to the account. It would not be a bad idea to run AV on that computer if possible in case something persistent got left behind, but generally these are low effort run-once scripts.
posted by figurant at 2:39 PM on August 6, 2022 [1 favorite]
Rather than defeat passwords and multi-factor authentication externally, a simple script running on that computer can set up the forwarding rules using the mail client and its existing credentials to the account. It would not be a bad idea to run AV on that computer if possible in case something persistent got left behind, but generally these are low effort run-once scripts.
posted by figurant at 2:39 PM on August 6, 2022 [1 favorite]
Did he lose cell service for those SMS to go to another spoofed handset? If so, hardware MFA will be needed.
Have you logged out all Outlook sessions so nothing can keep authenticating and sending?
Did he open scripts or web pages from unexpected emails? Do any still sit in his email folders?
Have you run a scan like MalwareBytes to remove any scripts that might have sneaked onto his computer?
posted by k3ninho at 2:30 AM on August 7, 2022
Have you logged out all Outlook sessions so nothing can keep authenticating and sending?
Did he open scripts or web pages from unexpected emails? Do any still sit in his email folders?
Have you run a scan like MalwareBytes to remove any scripts that might have sneaked onto his computer?
posted by k3ninho at 2:30 AM on August 7, 2022
« Older Can I turn an old iPhone 5c into a portable travel... | I rear-ended another vehicle, what exactly do *I*... Newer »
This thread is closed to new comments.
1) There are some SMS scams out there, too. My mom (a boomer in her late 60s) gave her AT&T verification code to a text scammer and she's usually pretty savvy.
I'd consider reaching out to Outlook's support to figure out how he/she worked around the SMS auth (if that's what happened), the sooner the better. I'm not sure what support they provide in this case but I think it's worth asking.
2) The spoofed messages are out there and there's nothing to do about them. Do you see them in Sent Items in outlook.com? I'm curious (besides the forwarding rule that was definitely done) if this person sent them out from the outlook interface or if they just spoofed the address ('joe-job').
3) I'd consider switching him to 2FA like you said but I understand the reluctance. I'd probably change the more important passwords like banks or anything that has my banking information.
posted by getawaysticks at 12:17 PM on August 6, 2022