Outlook Unusual sign-in activity

All replies

• 

  

  1

  Sign in to vote

  I am getting this as well.   I already have 2 factor authentication turned on but I still get the error.   It also appears that my application passwords are no longer functioning properly.   If you notice the email comes from a green shield so it is supposed to be verified.   When I check the account activity there is no login from that IP.   What i find very interesting is that my Microsoft Authenticator app is not notifying me of login attempts.

  

  And now i am seeing unsuccessful sign-in attempts from IP: 25.164.164.11.  When I do a lookup on that IP it resolves to the UK MoD.  
  

  inetnum:        25.0.0.0 - 25.255.255.255
  netname:        UK-MOD-19850128
  country:        GB
  org:            ORG-DMoD1-RIPE
  admin-c:        MN1891-RIPE
  tech-c:         MN1891-RIPE
  status:         LEGACY
  mnt-by:         UK-MOD-MNT
  mnt-domains:    UK-MOD-MNT
  mnt-routes:     UK-MOD-MNT
  mnt-by:         RIPE-NCC-LEGACY-MNT
  created:        2005-08-23T10:27:23Z
  last-modified:  2016-04-14T09:56:26Z
  source:         RIPE # Filtered
  
  organisation:   ORG-DMoD1-RIPE
  org-name:       UK Ministry of Defence
  org-type:       LIR
  address:        Not Published
  address:        Not Published
  address:        Not Published
  address:        UNITED KINGDOM
  phone:          +44(0)3067700816
  admin-c:        MN1891-RIPE
  abuse-c:        MH12763-RIPE
  mnt-ref:        RIPE-NCC-HM-MNT
  mnt-ref:        UK-MOD-MNT
  mnt-by:         RIPE-NCC-HM-MNT
  mnt-by:         UK-MOD-MNT
  created:        2004-04-17T12:18:23Z
  last-modified:  2016-10-06T11:09:40Z
  source:         RIPE # Filtered
  
  person:         Mathew Newton
  address:        Network Technical Authority
  address:        UK Ministry of Defence
  phone:          +44 (0)00 000 00000
  abuse-mailbox:  hostmaster@mod.uk
  nic-hdl:        MN1891-RIPE
  created:        2005-03-18T10:42:04Z
  last-modified:  2016-09-22T10:16:55Z
  source:         RIPE # Filtered
  mnt-by:         UK-MOD-MNT

  Additionally, I can now no longer create new app passwords that are accepted by my Outlook 2016 programs.  

  
  

  • Edited by Krypts Tuesday, November 22, 2016 10:57 PM

  Tuesday, November 22, 2016 10:56 PM
• 

  

  1

  Sign in to vote

  I got exactly the same problem, shows up on https://account.live.com/activity too. The IP is 

  IP address: 25.164.59.30

  Date: 11/23/2016 10:10 AM (EST) and IP address: 25.164.59.30 Date: 11/17/2016 7:03 AM (GMT) Source: whois.ripe.net IP Address: 25.164.59.30 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '25.0.0.0 - 25.255.255.255' % Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk' inetnum: 25.0.0.0 - 25.255.255.255 netname: UK-MOD-19850128 country: GB org: ORG-DMoD1-RIPE admin-c: MN1891-RIPE tech-c: MN1891-RIPE status: LEGACY mnt-by: UK-MOD-MNT mnt-domains: UK-MOD-MNT mnt-routes: UK-MOD-MNT mnt-by: RIPE-NCC-LEGACY-MNT created: 2005-08-23T10:27:23Z last-modified: 2016-04-14T09:56:26Z source: RIPE # Filtered organisation: ORG-DMoD1-RIPE org-name: UK Ministry of Defence org-type: LIR address: Not Published address: Not Published address: Not Published address: UNITED KINGDOM phone: +44(0)3067700816 admin-c: MN1891-RIPE abuse-c: MH12763-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: UK-MOD-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: UK-MOD-MNT created: 2004-04-17T12:18:23Z last-modified: 2016-10-06T11:09:40Z source: RIPE # Filtered person: Mathew Newton address: Network Technical Authority address: UK Ministry of Defence phone: +44 (0)30 677 00816 abuse-mailbox: hostmaster@mod.uk nic-hdl: MN1891-RIPE created: 2005-03-18T10:42:04Z last-modified: 2016-11-22T20:15:10Z source: RIPE # Filtered mnt-by: UK-MOD-MNT % Information related to '25.160.0.0/11AS203665' route: 25.160.0.0/11 descr: UK Ministry of Defence origin: AS203665 mnt-by: UK-MOD-MNT created: 2015-11-25T11:02:00Z last-modified: 2015-11-25T11:02:00Z source: RIPE % This query was served by the RIPE Database Query Service version 1.88 (BLAARKOP)

  Tuesday, November 22, 2016 11:36 PM
• 

  

  1

  Sign in to vote

  This happen to me as well yesterday and this morning, exactly at the same time stamp.
  

  Information on Login: Country / region: Unknown 

  IP Address: 25.166.133.13

  Date: 2016-11-22 04:55 (CET)

  and

  Information on Login: Country / region: Unknown 

  IP Address: 25.166.133.13

  Date: 2016-11-23 04:55 (CET)

  Seems like we are all on the same boat with the same symptoms.
  

  
  

  • Edited by Catcloud Wednesday, November 23, 2016 6:31 AM

  Wednesday, November 23, 2016 6:03 AM
• 

  

  0

  Sign in to vote

  Had the same problem today

  IP Address: 25.165.175.27
  Date: 2016-11-23 1:35 (MSK)

  Wednesday, November 23, 2016 9:26 AM
• 

  

  0

  Sign in to vote

  Same here. 25.XXX.XXX.X was marked as suspicious on my account in the early morning of Nov 22rd and also Nov 23rd. However, I believe it is benign.

  mnt-routes:     UK-MOD-MNT
  mnt-by:         RIPE-NCC-LEGACY-MNT

  Wednesday, November 23, 2016 12:11 PM
• 

  

  0

  Sign in to vote

  I've gotten it two days in a row.  Same 25.X.X.X ip address.  Same whois trace to UK Ministry of Defence.  Same green shield in my inbox.  Same issue of nothing showing up in recent activity.

  Once at ~8:30pm EST on 21 Nov. and once at ~2:58am EST on 23 Nov.

  After the first notification, I changed my password.  Both times I got an email and a text message, so it is highly unlikely it is not a legit notification.

  Hopefully it is a false warning.

  Wednesday, November 23, 2016 12:51 PM
• 

  

  0

  Sign in to vote

  Same problem and alert email! The IP address in my case was 25.163.112.23 which also belong to the UK Ministry of Defense according to an IP WHOIS.

  When I look at the recent activity log I only see my own IP address (there is nothing from any 25.x.x.x addresses) which is a huge relief, but that's assuming one can trust Microsoft to get the recent activity log right. I use complex, random passwords with 2-factor authentication so the odds of someone logging into my account is slim.

  I really wish the alert email was more helpful. There's just enough information to get you worried but not enough information to help you get to the bottom of exactly what triggered the alert and how far they got with the attempted login. Why not just say EXACTLY what triggered the alert instead of this vague "We detected something unusual about a recent sign-in" message?

  Thursday, November 24, 2016 3:28 AM
• 

  

  0

  Sign in to vote

  Hi all,

  Thank you for visiting our forum.

  This forum is for general questions and feedback related to Outlook desktop applications. It looks like your are encountering an issue related to Outlook.com account. Since there is no much thing we can do on this issue from Outlook client side, I'd recommend you contact support via an online form. Or, you can post your questions to the forum dedicated for Outlook.com:

  https://answers.microsoft.com/en-us/outlook_com/forum

  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

  If I've misunderstood something, please feel free to let me know.

  Regards,

  Steve Fan

  ---

  Please remember to mark the replies as answers if they helped.

  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  
  

  • Edited by Steve Fan Thursday, November 24, 2016 6:19 AM

  Thursday, November 24, 2016 6:19 AM
• 

  

  0

  Sign in to vote

  existing topic

  https://answers.microsoft.com/en-us/outlook_com/forum/osecurity-oinfosafe/outlook-unusual-sign-in-activity/4f2d5dfd-d4ca-4e9c-aadf-dfdfffa56f40

  Thursday, November 24, 2016 6:32 AM
• 

  

  0

  Sign in to vote

  So, UK Ministry of Defence is hacking all accounts and searching something or someone :) :) 

  Thursday, November 24, 2016 7:29 AM
• 

  

  0

  Sign in to vote

  I posted my questions on https://answers.microsoft.com/en-us/outlook_com/forum but they suggested I post this here?

  Thursday, November 24, 2016 10:53 AM
• 

  

  0

  Sign in to vote

  my email was "hacked" again 

  IP Address: 25.165.177.152
  Date: 2016-11-24 16:32 (MSK)

  Thursday, November 24, 2016 1:54 PM
• 

  

  1

  Sign in to vote

  I took your advise and used the form to contact MS directly. After about 5 messages back and forth to clarify the problems I am giving up. I don't know why MS hires these people that keep sending me default answers on "how to better secure your account", without even acknowledging my questions on why the login is not in the activity log etc.

  Back to Gmail for me.

  Wednesday, December 7, 2016 3:26 PM
• 

  

  0

  Sign in to vote

  I am getting this as well but I'm suspicious that it is a false positive.  I have had these before and they have usually been related to Microsoft's own IPs and my using my outlook.com mailbox as a "connected account" in Office 365.

  What is different here is that the IPs come up UK MOD in a whois IP search.  However I see no other IMAP access (from MS servers) to my Office 365 account.

  --

  Simon

  ---

  Simon Hetzel Microsoft Dynamics CRM Consultancy Microsoft Server/Infrastructure Architecture http://uk.linkedin.com/in/simonhetzel

  Saturday, March 3, 2018 9:06 AM