Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is there a reason Micosoft servers would access my account via IMAP?
7 points by babuskov on July 13, 2022 | hide | past | favorite | 8 comments
I have a Microsoft Live account created for my kids to play Minecraft. Yesterday I got a strange security warning telling me that someone tried to log into it and the account was locked.

I managed to unlock it via 2FA, and looked at the log they made available. It reported a "strange" login from the USA (I'm from Europe) and the IP address which I looked up via WHOIS and it appears to be an internal IP of Microsoft itself.

The access type was IMAP. Is it possible that it was just MS servers moving stuff around? Do they really have to authenticate as users? Is this a common thing?

I was presented with options to select if that was me or not. I selected not, hopefully it doesn't mess up anything.




Here is my hot take. N.B. that I have no idea what I'm talking about.

Some other kids tried to use a Microsoft mail service of some kind to access the emails in those accounts (for example, to get a password reset email for the Minecraft account).

The login attempts came from Microsoft servers rather than the kids' home internet connections, because that is how it works when you ask a web app to go fetch mail from another account for you. And conveniently, it obscures the home IP addresses of whoever was doing it.

Like I said, I have no idea what I'm talking about. Good luck!


UPDATE... This seems related. https://old.reddit.com/r/Outlook/comments/vy2gej/unusual_sig...


Same thing happened to me on an @outlook.com account that has only been used to send mail to three recipients since it was created.

MS owned offending IP: 13.101.55.39

Did a whois, and saw it was MS owned. Was worried it might just be MS being broken and alerting on their own stuff, so didn't flag it, and got another attempt from the same IP a couple hours later. Flagged it then.

Could be an attacker using Azure to host attacks, but since my @outlook.com email address is not really guessable nor in circulation (long, not dictionary words/names, and only used a few times) MS just being broken might be more likely?

Another option is Cloudflare + MS's new relationship to provide Warp VPN as a built-in for Edge results in Warp sometimes terminating directly within MS address space?

https://www.zdnet.com/article/microsoft-readies-a-built-in-v...

I'm currently using Warp on my phone to avoid spying by my carrier (who is known to be terrible about this).

Are you using Cloudflare's Warp VPN on any devices that might be accessing the email accounts via IMAP?


> Are you using Cloudflare's Warp VPN on any devices that might be accessing the email accounts via IMAP?

No.

I'm not even using this account for e-mail or anything. It uses @gmail.com address, so I don't think it even has e-mail? Not quite sure how that works.

I was forced to switch from Mojang Minecraft account to Microsoft account for Minecraft to keep working properly.


Thanks. Sounds more like MS just being broken then.

I haven't had another of these alerts since my last response to you.


Microsoft owned IPs could be from their Azure cloud services. I believe they use their Microsoft Network AS for that (their ISP that I think is defunct) rather than their corporate AS, but it can be hard to tell the difference sometimes.


At least not that long ago the outlook app used to proxy access as it was purchased from someone else rather than being a Microsoft product - it didn't have an imap client but asked a remote machine (in the USA) to connect on your behalf, don't know if this is still the case but given neglect for mail clients I wouldn't be surprised


Possible related to this recent discussion [1] about Outlook and Bing visiting links inside email? Not sure why the access type would be IMAP though...

[1]: https://news.ycombinator.com/item?id=31892299




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: