Recently we have had a couple of companies contact us with their Microsoft email addresses compromised. In one case the passwords that the person had used was a weak – just a simple 7 letter word. So we are recommending that customers ensure that they use strong passwords.
How Did We Know a Breach Had Happened
Without breaching customer confidence and keeping it simple:
In one instance the customer received notifications that their email had possibly been compromised. On investigation someone from the Far East had accessed the account.
In another instance, it was a little more complicated.
- So, say the owner of the email account was Joanne and she was asking her accounts department to send a payment to Customer A.
- Joanne’s email account was accessed by a hacker via the Internet.
- The hacker checked the emails that were being sent to Customer A and then forwarded some of those emails onto the accounts department and confirmed the payment needed to be made and the bank details (the hacker's own).
- So as far as the accounts department was concerned everything was normal, the email was coming from Joanne, and they could see a history of emails between Joanne and the customer.
- It was just that Joanne noticed that emails seemed to be sent from her that she had not actually sent!
It Doesn't Affect Me As I Don't Have A Microsoft Account Or Collect My Emails Online
This may not be true...
You may be using a Microsoft account even if you are not logging on via the Internet
Often people like to use Email applications to collect their email, such as Microsoft Outlook, Mozilla Thunderbird, Mac Mail, etc. They can then often forget that they are using a Microsoft account. In fact this was true of one of the customers mentioned above. They had an email address firstname.lastname@example.org and used Microsoft Outlook and so didn't realise that it was possible to log onto their email account from any web browser at microsoftonline.com.
You may be using a Microsoft account even if your email address is not email@example.com.
BT and Yahoo email addresses are just two examples of companies that use Microsoft email accounts.
Many businesses link their domain to an Office 365 account, so although a person may be sending using the email firstname.lastname@example.org they can also log onto their accounts at any time at microsoftonline.com.
If you are using Local Exchange a hacker can still access your email account via the Internet
Many companies still have local Microsoft Exchange and rarely access their email online. Therefore many do not think that their email can be accessed via the Internet, but using OWA (Outlook Web Access) it is possible. In this case the password that a person uses to log onto their computer is the password that is used to log onto the email account. This can make these companies vulnerable as people are often a lot less conscientious about the password used to log onto their computer than they are an online account.
Creating Strong Passwords is Too Much Hassle!
Having a system helps and you need to play to your strengths. Some people find it easy to remember numbers, others find words easier. Some will find a pictorial or musical prompt easiest. Don't enforce numbers on someone that remembers words and vice versa. Recognise what you find easiest to remember and create passwords that work for you.
I know that choosing strong passwords can be challenging and I recently did a blog about this, which has suggestions that may help: https://technologytamed.com/gdpr-and-passwords/
Make Sure Your Recovery Information is Up-to-Date
If a hacker does take control of a personal Microsoft account and you want to get it back Microsoft will ask you for the answers to your Security Questions. These are often set up at the time the account was set up and then forgotten. They will have asked for an alternative email address and a mobile telephone number. Often by the time there is a problem the alternative email address is defunct and the mobile number can have changed. So it is good housekeeping policy to check you know your Security Questions once a year.
Whatever you do, we would recommend that people are vigilant at the moment.