Prevent email spoofing?

TenFour · 13 Feb 2024, 10:21 PM

An email address I own at a domain I own was once used by me with a Microsoft account, now closed around 10 years ago. I am now getting messages from MS telling me that someone has started a process to change all the security information on this old account (I thought long closed). The options in the MS emails don't work for me because they require me to login to the long-closed account, or to use a form to retrieve the account that requires information like passwords, etc. I no longer have. My worry is that whomever is taking over the account will try to impersonate me since the email address includes my full name. It is an address I was using to apply for jobs back then. What to do to prevent someone from spoofing my email address and reviving this old MS account?

JeremyNicoll · 14 Feb 2024, 01:30 AM

Quote:

Originally Posted by TenFour

What to do to prevent someone from spoofing my email address and reviving this old MS account?

How can someone-else login to the MS account? If you don't know the pswds any longer, how can they know them?

As for spoofing ... do you mean someone gaining the ability to intercept your email? Is that not a risk we all have all the time, nothing to do with the MS account?

hadaso · 14 Feb 2024, 02:34 AM

If it is an email address at your own domain then it has nothing to do with the MS account since you control the DNS for the domain and can make sure it doesn't point at anything MS.
So I guess the address in your own domain was just used as a backup address in that MS account, and the address that worries you is something like your.full.name@some.microsoft.domain. That's a real concern if whoever is trying to take over your account knows something about you, or about whoever you were corresponding with using that address, since using the same address with someone you already corresponded with can really look as if it is you.
Just using an email address with the full person's name is something a villain doesn't need an existing account to do. Anyone can open a new account on any free or paid service, with any available name, and if someone actually knows something about you like full name and address and phone number, something about what you're doing for a living or your personal life, then they can open an account somewhere with something that resembles your name, or even your full name, or they can register a domain name that sounds like something you might choose and use your full name at that domain, and then impersonate you and do things like create debt and leave it to you.
Anyway, if you you are getting notifications from MS about activity in that old account, then sometimes it has a link to report something like "that wasn't me", and there should be some password reset method.
But I guess you already tried this and it didn't work, so perhaps the only way is to try to get human support from MS.
Another thing to check is if the messages are really from MS and not some sort of phishing (trying to get people to enter the login info to their MS account into some phony website), though what you describe doen't sound like phishing, as it uses specific info such as an old backup email address.

TenFour · 14 Feb 2024, 03:46 AM

It is an email address at my own domain now, though I think I once had it hosted at Microsoft maybe 10 years ago as an Outlook.com premium address. Long since discontinued that with Microsoft, but the emails from Ms Support look totally legitimate and I checked the email headers etc. for signs of phishing and can't find any. My domain host took a look too and says they are legit Ms support messages. There appears to be no way to contact Ms since I can't log into that old account. Here's an example of one of the emails I received at a backup Gmail address:

Quote:

Microsoft account
Security info replacement remider
Your security info for myemail@myname.com is pending replacement with scammersemail@scammer.com on 2/27/2024 2:21 AM (EST).

If this was you, click the button below to bypass the waiting period by using your existing security info.

Button: This was me

If this wasn't you, someone else might be trying to take over myemail@myname.com. Click here and we'll help you protect this account.

If you don't recognize the Microsoft account myemail@************, you can click here to remove your email address from that account.

Thanks,
The Microsoft account team
Privacy Statement
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

n5bb · 14 Feb 2024, 04:34 AM

There do appear to be other ways to reach Microsoft, although I have never tried these:
https://www.wikihow.com/Contact-Microsoft

I agree that this could be coming from a scammer. For example, they could send messages impersonating you to your friends and family. hoping to convince them to give them money (for an emergency or some other ruse). Or they might hope that the address was used as a backup address for some account which they might be able to wrest control over.

But it could just be someone with your exact name. My first and middle names are very common in the US, but my last name is rather uncommon. According to a name frequency site, there are about 2,700 persons in the US (1:135,000) with my last name in the US, which gives it a Rand of about 14,000. When I perform a Google search for my exact full name (in quotes”, I find references to myself and several other people. Your full name is most often found in obituaries and legal documents (such as property records), so there are probably others with my full name still living but which can’t easily be found with such as search. For example, they might be found using my middle name initial. I see many such hits when I search using my middle initial.

So might it be possible that someone is just trying to use their actual full name as a new email address? You did that once, and they have just as much right to use such an email address as you do, assuming of course that they are not trying to impersonate you.

This brings up the power that names have for us. At a hobby event (Amateur Radio hamfest) recently, I met someone whose name badge said “Rusty B***” (obfuscated by me). I overheard them saying that they had finally retired as an airline pilot for American Airlines. Although I did not recognize the face, body, or voice of this person in front of me, I used to know well a “Rusty B***” who had been a pilot and trainer for an American Airlines affiliate and so had flown American Airlines branded flights on aircraft with their logo. As I was talking to this new to me Rusty, I asked him a few things I knew about the Rusty I had known. Most of the things I asked (about motorcycle riding, moving, divorce, and of course getting an Amateur Radio license) matched. This person in front of me had changed his Amateur Radio callsign, so that added some uncertainty for me. I later learned that they are completely different people who have never met each other but both worked for American Airlines (or an affiliate with that same branding for ticketing) with the same nickname, last name, and similar hobbies. If you haven’t seen someone in a decade you can become very confused about someone’s identity, especially if many things about their lives seem to match.

Bill (but uniquely known as n5bb)

hadaso · 14 Feb 2024, 04:52 AM

Now I really don't get it.
If myname.com is your domain, that you have registered at some domain registrar, and the registration hasn't expired, then how is it related to that MS account. If the NS records for your domain do not point to MS then hacking your old MS account cannot host email for your domain.

If the email address myemail@myname.com was used as the username for that MS account, with some password that has been forgotten, then replacing it with scammersemail@scammer.com will probably break any connection between that account and your domain.
I don't understand what is the "security info for myemail@myname.com" that is being replaced, and how it can be replaced with some other email address if it is the "security info" for a particular address.
This message form MS is quite uninformative about what's really happening.

TenFour · 14 Feb 2024, 05:14 AM

Quote:

If the email address myemail@myname.com was used as the username for that MS account, with some password that has been forgotten, then replacing it with scammersemail@scammer.com will probably break any connection between that account and your domain.
I don't understand what is the "security info for myemail@myname.com" that is being replaced, and how it can be replaced with some other email address if it is the "security info" for a particular address.
This message form MS is quite uninformative about what's really happening.

Yes, confusing what is going on! My guess is this. Ten years ago I briefly used this email address to open and manage a Microsoft account. I shut that account down at some point I believe also about 10 years ago. But, despite what Ms says, they don't actually totally delete an account. It goes dormant somehow, on the assumption (probably true) that many people change their minds and decide they want the account back at some point. Someone, somehow has submitted some form to take over that account. How or why I don't know, and most troubling is why would Ms allow that at all? It appears they have a 30-day wait period before the takeover is complete, so that legit owners of the account can dispute the change, but since it has been so long I don't have things like the old passwords, the old phone number, or old email subject lines they insist I provide to login to that long ago closed account.

By the way, I have checked my domain's current DNS records just to make sure nothing is pointing to Ms or anywhere it shouldn't be.

Just to add to the confusion, a different, currently being used, Ms account I own has been targeted by numerous failed login attempts over the last month or two. Frankly, I can't remember if this old closed account and my current account had any relationship at all, but it seems odd that both are being targeted.

n5bb · 14 Feb 2024, 06:19 AM

As I posted earlier, it might be coincidence and someone with your exact name. But if you are getting other attacks you should be very careful. I live in the US and a few months ago I was victim of ACH fraud. All someone needs to obtain to try such a funds transfer is your bank routing number and account number. I think this is a horrible system and at the minimum I should be able to pre-approve which destinations can pull money from my account and I should be notified through a text message or even better secure app alert which would let me OPT IN to the transfer. But no … the bank let three multi-thousand dollar transactions go through in a one minute interval at 4 AM in the morning. When I woke up and checked my messages much later I discovered the alerts about the transactions which had already been initiated.

Fortunately my bank contested the transfers and clawed back my funds. But I had to freeze then close that checking account. I had just received new checks for the old account, so I had to shred them and order new checks, and change all of my auto-pay arrangements. It was a major pain!

I’m pretty sure that it was not a breach on my end which caused this issue. But the scammers don’t give up, and a few months later an overnight support person with my bank received a request about my account through a phone call, and they released some information which they shouldn’t about my accounts. I was not happy, and the bank flagged my account for fraud monitoring (which they forgot to do after the initial incident). I froze my credit at the three credit reporting agencies (one request will do it for all of them) and changed all of my significant passwords “just in case”.

The key ways that a scammer can break into your account is through your email account, mobile phone account, human error (convincing someone they are you), and physical mail (not used much any more). Since email is often used to reset an account after a forgotten password, it’s crucial that you use your most trusted email account as the backup address for accounts and you treat your email account as your most important security risk. I’m sure you know this, but it’s good to remind everyone reading these threads that protecting your main email account is more important than being sure you don’t leave your credit card lying around.

With AI getting better, my fear is that there will be a rash of fake calls to our family, friends, and business contacts we know (such as at financial institutions) impersonating our voice and mannerisms. One suggestion I just heard on a NPR (National Public Radio) program this past weekend is for everyone to set up a secret code we share with our family and close friends, so that if someone who sounds like you calls acting like an emergency has happened and they need something done ASAP you can get them to say the code so you know it’s not a scam. Be sure the person making the emergency request must say the code, not the receiver of the message.

Bill

TenFour · 14 Feb 2024, 06:26 AM

Quote:

The key ways that a scammer can break into your account is through your email account, mobile phone account, human error (convincing someone they are you), and physical mail (not used much any more). Since email is often used to reset an account after a forgotten password, it’s crucial that you use your most trusted email account as the backup address for accounts and you treat your email account as your most important security risk. I’m sure you know this, but it’s good to remind everyone reading these threads that protecting your main email account is more important than being sure you don’t leave your credit card lying around.

Good advice! Luckily, I haven't used this email address for any important accounts. It was mainly used for applying for jobs because it included my full name. Now I'm not so sure that is a good idea!

I already had my credit reports frozen, I changed the password and then went passwordless on my currently used Microsoft account, my domain is locked to prevent transfer. My main email account at another provider is protected by a security key. But, who knows what still exists on that old Microsoft account?

hadaso · 14 Feb 2024, 06:39 AM

Quote:

Originally Posted by TenFour

... things like the old passwords, the old phone number, or old email subject lines they insist I provide to login to that long ago closed account. ...

If they can use old email subject lines to verify you're connected to the account it means they haven't just kept the account dormant, but also they haven't deleted the data in the account (the email messages). I think it is a reasonable policy when one shuts down an account to not delete it completely, because deleting it completely allows someone else to open an account with the same username. But only the account name should be kept, and perhaps the password and some data that can be used for identification of the original owner, such as backup email addresses and phone numbers. But the data itself (email messages, stored files etc.) should be completely erased if the account owner asked to close the account and confirmed that the data should be deleted. In such case the data should be deleted within a short period of time, a couple of week or a month. And any verification data that is kept should not be shared with anyone trying to reopen the account.
What might be happening is that someone has managed to obtain access to the account, and perhaps already login to the account and obtain access to the data that was kept there. So if there were old emails their from or to your other MS account, then they could see that and try to obtain access to your other account. And when they try to delete the old email address you get notified about it.
One thing you have that can serve as proof of account ownership is that you own the domain of that address they want to change. If you also have proof that you registered that domain back when that account was in use then it is proof that you are the original owner of that account, and that MS should prevent anyone else from access to data kept in that account.
If an external email address can be used as the username in an MS account, then it is reasonable that if the account is closed, then later it can be reopened by anyone using that email address, but only if they can prove that they use that address (receive mail sent to it), and they should only be able to open a new account with that address as username, not to get access to the data in the closed account that belongs to a previous owner of that address.

n5bb · 14 Feb 2024, 06:43 AM

Before closing (or abandoning) an old email account, everyone should log into that account and permanently delete all messages (or other information) stored at that account. Then at least anyone who gets access won’t discover any private information about you. If you had emails from financial companies to you, the scammer would know the likely backup address you had used and they might try to convince the company to let them reset the account using the old email address. That sounds very insecure to me, but some people probably change their email to a new account and then forget the new password, causing them to want to use an old email reset.

Bill

TenFour · 14 Feb 2024, 10:41 PM

So, apparently Microsoft doesn't really close old accounts? Can one recover an old account closed 10 years ago, and will there still be old data there? Does anyone have any experience with this? An advisor in the Microsoft Community wrote this:

Quote:

I must inform you that it is not possible under any circumstances to reopen a Microsoft account that was closed 10 years ago. Microsoft has a strict policy of permanently deleting accounts that have been inactive for 2 years or 60 days if it is closed by the account owner.

And, Microsoft has a safety measure to protect your privacy. Once an account is closed permanently, it is not possible to recreate it with the same email address. So, in this case, it won't be possible to reopen the account that was closed 10 years ago.

TenFour · 16 Feb 2024, 01:00 AM

OK, I wasted an hour of my life in a chat with Microsoft, only to learn they consider the account still open and the only way for me to close it is to login, which I can't do. I tried the recovery form, but it requires information I no longer have, like email subject lines last sent, etc. Very strange and frustrating. Essentially, I am screwed with this old account because some hacker has somehow provided enough information to be able to take over the account.

hadaso · 16 Feb 2024, 07:36 AM

So now perhaps the only remaining question is whether this is important enough for you to to try to tackle it by legal means. That is to get a lawyer and try to get a court order that stops MS from handing over your data to someone else. Because at least according to what you say the email address that identifies the account is in your own domain, and even if it is not one of the methods that MS accepts as proof that it is you who used that account, and not whoever is now reviving the account, if you can provide documents that show the domain was registered by you and only you from the time the account was deserted till now, than it's proof that must be accepted by a court. It's just a matter of cost, that quite probably would be to high to be justified. Perhaps just mentioning the (the hope of avoiding) the possibility of legal action can make MS consider ownership of the domain as enough proof it is you that used that account, and not someone else. My guess is that just mentioning the word "legal" would transfer the handling of the issue to someone that is allowed slight use of their brain and not just following protocol.

TenFour · 17 Feb 2024, 05:47 AM

A company like Microsoft would just shrug off legal action from any puny individual like me, and I'm sure that somewhere in some TOS I signed away any and all rights and liability. What I find disturbing is that they kept an account open that I thought was closed many years ago. In trying to recover the account I was able to answer a lot of questions on the form, and one of them indicated to me that I had used a phone number I discontinued in January 2019 so that indicates the account has been not used at least since before then. I also find it very disturbing that there is a method that someone can request to change all the security information on someone else's account!

13 Feb 2024, 10:21 PM	#1
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	Prevent email spoofing? An email address I own at a domain I own was once used by me with a Microsoft account, now closed around 10 years ago. I am now getting messages from MS telling me that someone has started a process to change all the security information on this old account (I thought long closed). The options in the MS emails don't work for me because they require me to login to the long-closed account, or to use a form to retrieve the account that requires information like passwords, etc. I no longer have. My worry is that whomever is taking over the account will try to impersonate me since the email address includes my full name. It is an address I was using to apply for jobs back then. What to do to prevent someone from spoofing my email address and reviving this old MS account?

14 Feb 2024, 06:19 AM	#8
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,927	As I posted earlier, it might be coincidence and someone with your exact name. But if you are getting other attacks you should be very careful. I live in the US and a few months ago I was victim of ACH fraud. All someone needs to obtain to try such a funds transfer is your bank routing number and account number. I think this is a horrible system and at the minimum I should be able to pre-approve which destinations can pull money from my account and I should be notified through a text message or even better secure app alert which would let me OPT IN to the transfer. But no … the bank let three multi-thousand dollar transactions go through in a one minute interval at 4 AM in the morning. When I woke up and checked my messages much later I discovered the alerts about the transactions which had already been initiated. Fortunately my bank contested the transfers and clawed back my funds. But I had to freeze then close that checking account. I had just received new checks for the old account, so I had to shred them and order new checks, and change all of my auto-pay arrangements. It was a major pain! I’m pretty sure that it was not a breach on my end which caused this issue. But the scammers don’t give up, and a few months later an overnight support person with my bank received a request about my account through a phone call, and they released some information which they shouldn’t about my accounts. I was not happy, and the bank flagged my account for fraud monitoring (which they forgot to do after the initial incident). I froze my credit at the three credit reporting agencies (one request will do it for all of them) and changed all of my significant passwords “just in case”. The key ways that a scammer can break into your account is through your email account, mobile phone account, human error (convincing someone they are you), and physical mail (not used much any more). Since email is often used to reset an account after a forgotten password, it’s crucial that you use your most trusted email account as the backup address for accounts and you treat your email account as your most important security risk. I’m sure you know this, but it’s good to remind everyone reading these threads that protecting your main email account is more important than being sure you don’t leave your credit card lying around. With AI getting better, my fear is that there will be a rash of fake calls to our family, friends, and business contacts we know (such as at financial institutions) impersonating our voice and mannerisms. One suggestion I just heard on a NPR (National Public Radio) program this past weekend is for everyone to set up a secret code we share with our family and close friends, so that if someone who sounds like you calls acting like an emergency has happened and they need something done ASAP you can get them to say the code so you know it’s not a scam. Be sure the person making the emergency request must say the code, not the receiver of the message. Bill Last edited by n5bb : 14 Feb 2024 at 06:24 AM.

14 Feb 2024, 02:34 AM	#3
hadaso The "e" in e-mail Join Date: Oct 2002 Location: Holon, Israel. Posts: 4,847	If it is an email address at your own domain then it has nothing to do with the MS account since you control the DNS for the domain and can make sure it doesn't point at anything MS. So I guess the address in your own domain was just used as a backup address in that MS account, and the address that worries you is something like your.full.name@some.microsoft.domain. That's a real concern if whoever is trying to take over your account knows something about you, or about whoever you were corresponding with using that address, since using the same address with someone you already corresponded with can really look as if it is you. Just using an email address with the full person's name is something a villain doesn't need an existing account to do. Anyone can open a new account on any free or paid service, with any available name, and if someone actually knows something about you like full name and address and phone number, something about what you're doing for a living or your personal life, then they can open an account somewhere with something that resembles your name, or even your full name, or they can register a domain name that sounds like something you might choose and use your full name at that domain, and then impersonate you and do things like create debt and leave it to you. Anyway, if you you are getting notifications from MS about activity in that old account, then sometimes it has a link to report something like "that wasn't me", and there should be some password reset method. But I guess you already tried this and it didn't work, so perhaps the only way is to try to get human support from MS. Another thing to check is if the messages are really from MS and not some sort of phishing (trying to get people to enter the login info to their MS account into some phony website), though what you describe doen't sound like phishing, as it uses specific info such as an old backup email address.

14 Feb 2024, 04:34 AM	#5
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,927	There do appear to be other ways to reach Microsoft, although I have never tried these: https://www.wikihow.com/Contact-Microsoft I agree that this could be coming from a scammer. For example, they could send messages impersonating you to your friends and family. hoping to convince them to give them money (for an emergency or some other ruse). Or they might hope that the address was used as a backup address for some account which they might be able to wrest control over. But it could just be someone with your exact name. My first and middle names are very common in the US, but my last name is rather uncommon. According to a name frequency site, there are about 2,700 persons in the US (1:135,000) with my last name in the US, which gives it a Rand of about 14,000. When I perform a Google search for my exact full name (in quotes”, I find references to myself and several other people. Your full name is most often found in obituaries and legal documents (such as property records), so there are probably others with my full name still living but which can’t easily be found with such as search. For example, they might be found using my middle name initial. I see many such hits when I search using my middle initial. So might it be possible that someone is just trying to use their actual full name as a new email address? You did that once, and they have just as much right to use such an email address as you do, assuming of course that they are not trying to impersonate you. This brings up the power that names have for us. At a hobby event (Amateur Radio hamfest) recently, I met someone whose name badge said “Rusty B*” (obfuscated by me). I overheard them saying that they had finally retired as an airline pilot for American Airlines. Although I did not recognize the face, body, or voice of this person in front of me, I used to know well a “Rusty B*” who had been a pilot and trainer for an American Airlines affiliate and so had flown American Airlines branded flights on aircraft with their logo. As I was talking to this new to me Rusty, I asked him a few things I knew about the Rusty I had known. Most of the things I asked (about motorcycle riding, moving, divorce, and of course getting an Amateur Radio license) matched. This person in front of me had changed his Amateur Radio callsign, so that added some uncertainty for me. I later learned that they are completely different people who have never met each other but both worked for American Airlines (or an affiliate with that same branding for ticketing) with the same nickname, last name, and similar hobbies. If you haven’t seen someone in a decade you can become very confused about someone’s identity, especially if many things about their lives seem to match. Bill (but uniquely known as n5bb)

14 Feb 2024, 04:52 AM	#6
hadaso The "e" in e-mail Join Date: Oct 2002 Location: Holon, Israel. Posts: 4,847	Now I really don't get it. If myname.com is your domain, that you have registered at some domain registrar, and the registration hasn't expired, then how is it related to that MS account. If the NS records for your domain do not point to MS then hacking your old MS account cannot host email for your domain. If the email address myemail@myname.com was used as the username for that MS account, with some password that has been forgotten, then replacing it with scammersemail@scammer.com will probably break any connection between that account and your domain. I don't understand what is the "security info for myemail@myname.com" that is being replaced, and how it can be replaced with some other email address if it is the "security info" for a particular address. This message form MS is quite uninformative about what's really happening.

14 Feb 2024, 06:43 AM	#11
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,927	Before closing (or abandoning) an old email account, everyone should log into that account and permanently delete all messages (or other information) stored at that account. Then at least anyone who gets access won’t discover any private information about you. If you had emails from financial companies to you, the scammer would know the likely backup address you had used and they might try to convince the company to let them reset the account using the old email address. That sounds very insecure to me, but some people probably change their email to a new account and then forget the new password, causing them to want to use an old email reset. Bill

16 Feb 2024, 01:00 AM	#13
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	OK, I wasted an hour of my life in a chat with Microsoft, only to learn they consider the account still open and the only way for me to close it is to login, which I can't do. I tried the recovery form, but it requires information I no longer have, like email subject lines last sent, etc. Very strange and frustrating. Essentially, I am screwed with this old account because some hacker has somehow provided enough information to be able to take over the account.

16 Feb 2024, 07:36 AM	#14
hadaso The "e" in e-mail Join Date: Oct 2002 Location: Holon, Israel. Posts: 4,847	So now perhaps the only remaining question is whether this is important enough for you to to try to tackle it by legal means. That is to get a lawyer and try to get a court order that stops MS from handing over your data to someone else. Because at least according to what you say the email address that identifies the account is in your own domain, and even if it is not one of the methods that MS accepts as proof that it is you who used that account, and not whoever is now reviving the account, if you can provide documents that show the domain was registered by you and only you from the time the account was deserted till now, than it's proof that must be accepted by a court. It's just a matter of cost, that quite probably would be to high to be justified. Perhaps just mentioning the (the hope of avoiding) the possibility of legal action can make MS consider ownership of the domain as enough proof it is you that used that account, and not someone else. My guess is that just mentioning the word "legal" would transfer the handling of the issue to someone that is allowed slight use of their brain and not just following protocol.

17 Feb 2024, 05:47 AM	#15
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	A company like Microsoft would just shrug off legal action from any puny individual like me, and I'm sure that somewhere in some TOS I signed away any and all rights and liability. What I find disturbing is that they kept an account open that I thought was closed many years ago. In trying to recover the account I was able to answer a lot of questions on the form, and one of them indicated to me that I had used a phone number I discontinued in January 2019 so that indicates the account has been not used at least since before then. I also find it very disturbing that there is a method that someone can request to change all the security information on someone else's account!