An attack against your Microsoft account
Today, I’ve received an email telling me that someone has tried to connect to my Microsoft account.
Naturally, what you expect from this kind of message is simple information such as:
- IP address
- Location
In our example there is probably nothing to worry about.
Basically the attacker just wanted to check that the email address is associated with a Microsoft account.
And I know that this mail address has already been the subject of a database leak.
You can check if your email and related information have been compromised on https://haveibeenpwned.com/.
But still, you may want to know the IP address to at least answer the question:
Is this an automated attack or am I specifically targeted?
Microsoft deliberately hides information about failed login attempts
Unlike what they want you to believe, it is not a technical limitation or an innocent choice of design.1
In the same situation, Google and most of the other platforms give you the IPs. But Microsoft makes the decision to conceal them from you.
Why?
Microsoft Sentinel
Because of money, of course. What were you expecting?
To put it simply, Microsoft has decided to keep this information hidden to turn it into a selling point for Microsoft Sentinel.
Microsoft Sentinel is a SIEM (a Security Information and Event Management platform) used by professionals -mostly medium and large sized companies.
By concealing this information, they get an advantage: “we might be the only ones who know that this IP is dangerous -Pay our service to be better protected!”.
Source: https://realm.security/microsoft-sentinel-pricing-explained/
The ‘self-interested’ policy of Microsoft regarding security
The very long delays in fixing vulnerabilities they’ve been warned about on Windows or the absolutely inefficient and frustrating fraudulent mail detection in outlook.
When taking these examples into account, we can see the Microsoft’s skewed perspective on how to protect their users. When they don’t care about it, they manage to monetize it.
As stated earlier, among large companies, Microsoft is one of the few to have made the decision to withhold IP of the attacker from regular users in order to monetize it.
Does our Internet security have to be marketable?
Make this information public would undeniably make internet a safer place.
Imagine that Microsoft knows an IP is dangerous. Someone who hasn’t paid for Microsoft Sentinel may think this IP is clean because it is not reported publicly anywhere.
This is why communicating this kind of information publicly and instantly is important to protect people on the internet and make life more difficult for crooked scammers.
An analogy with a common law crime
Let me put an analogy: imagine that a burglar tries to enter a house, failed and left the scene.
By luck, a camera has filmed the vehicle model and registration number of the burglar.
The security firm in charge of the camera notes the incident and the information.
Next day, police walks past the car without doing anything: they don’t know the car is related to an attempted burglary because they have not paid access to the database of the security firm.
Meanwhile, your own house is being burglarized. What will be your feeling about it?
Pirates and scammers can hurt you badly
Of course, the consequences of an incident on the internet are not the same, but being scammed or having your identity stolen can be just as traumatic and serious.
In my opinion, this matter should be taken a lot more seriously than it is right now. To start, big companies like Microsoft should be forced to make their database of fraudulent IP public.
- A message of a user saying that connection attempt are not present on the activity report of his Microsoft account: https://learn.microsoft.com/en-us/answers/questions/4757638/suspicious-login-attempts-but-no-activity-showing âŠī¸
Leave a Reply