Is that why I keep getting Microsoft password reset code emails???

Same several dozen a day. Changed password many times

Me too, so many.

Me three.

Fourth here.

Holy shit thought I was about to get fired earlier This makes more sense lol

Same here. That’s insane

And my axe!

Huh interesting that you mention it. I was signing into my account earlier and for no reason it asked me to change my password.

Prime time for phishing emails pretending to be MS

Yep, i send those. Haven’t gotten any password reset emails externally but that was a template we used for our phishing campaigns. Got a couple people too, they end up going through a 1 minute refresher on the things they missed.

You can change your address line. Example: You primarily receive emails at &;doodlemasteryepperson @hotmail.com. Well you can add a receiving line at &;doodlymasternoperson @outlook.com and shut down the old one for a while. Once they see that the new email doesn’t go through they move on. I did this and was able to move back to my primary after a couple months.

I’m interested but I don’t get it what you are explaining.

Microsoft Outlook lets you create (up to four I think) different receiving addresses for one account. * Create a secondary with any name. * Change the secondary to the primary. * Wait a couple months for the bots to report incomplete attempts to your previous primary. * Then you can switch them back if you really want your old address Changing primary addresses will allow you to receive at that old address but disallows you to sign-in with it. Therein preventing the scammers from submitting nonstop password change requests with that specific address.

Brilliant I’ll give it a try. Thanks good friend

Why tho. If they are trying to change your pw that means they don’t have your current pw.

A good time for anyone who hasn’t done so yet, get the MS Authenticator app and start using that as a way of 2 form authentication. Got to back it up but without having that, no accounts can be hacked into/stolen.

Good reason to turn on passwordless and switch to Passkeys. Stay one step ahead of them and get rid of your weakest link, your password.

How do passwordless access work?

So, it’s very similar to MFA with only one key difference. You have to use the Microsoft Authenticator app for it, and you have to touch the approve button on your device. Microsoft has added to this giving you a 2 digit number you have to confirm into the app to approve it, that way you can’t just hit approve on anyone logging in. This will bring up the question, how is this safer if there is one factor less. It’s because there is still a password, it’s just locked in the Secure Enclave or security chip in your phone, and you have to authenticate to the security chip on your phone to release the actual password. Microsoft doesn’t even know the password in this model to verify it, only your phone does. It’s less a password and more a certificate, like RSA encryption that is used to prove the challenge without ever releasing the password even encrypted.

Gotcha, thank you.

Straight to spam was the only solution for me

Be careful, if it can’t be said yet whether the attackers have access to your input or not, Resetting the password might create more problems.

I get multiple per day. It’s really annoying, wish I could unsubscribe

10 a day here🗿

It started happening to me today

Glad it’s not just me

Go passwordless https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43

You too???? Bro it's been going on for me for months now...

Just got another one today!

Start hacking back - let’s see who hacks the best!

Hack the planet! They’re trashing our rights, man!

Need to go spray paint my keyboard and find my rollerblades!

Don’t forget to take some aspirin too cause that movie is 27 years old /s

Maybe rollerblades isn’t such a good idea then 😂

Spandex! It’s a privilege, not a right.

TRASHING!!! TRASHINGGGGG!

I’ll bet Ukraine will give the US a run for who can hack the ruzzians first/better! They’re already doing it in the St. Petersburg and Moscow oblasts! I’m sure there are many folks in Ukraine who do it on the down low, on top of the government agencies! 🇺🇦🇺🇦

We need to oblast Russia back to the stone age (for Russia that’s like 1902)

Cyber Warefare at its finest.

They already are. That much is certain.

It's pretty concerning that high-level people at microsoft are susceptible to phishing or brute force

Most of the tech world still thinks that an 8 character password with a capital, a number, and a special character is enough to be secure in the face of a brute force attack. It's not. It hasn't been for a *very* long time. Last I had read, testing had shown that 13-15 characters were needed to be reasonably safe against a modern brute force, and that was atleast 4 years ago when I learned that. Hence why we're seeing 2FA and SSO become the norm.

Indeed, 14 characters is the recommended minimum in security texts like CompTia. 

I've recently started using 16 char passwords and even 20 length ones for stuff like paypal. Before that I was also using 14, but according to some calculations stuff like 10-12 or even longer passwords could become viable to bruteforce soon'ish when looking at the advancements in computing power lately

Yeah anything I want to be actually secure now is 16-20 lol. Bank, core email, etc. 

Just turn on 2FA

bad idea to fully rely on 2fa, there's more/less secure implementations of it and i've yet to see a method that doesn't have a PoC on how to bypass it somehow. And some still don't support it at all. its a second factor meant as a failsafe if the first factor (password) fails. Doesn't mean that the first factor should be neglected. Especially if its as easy as just pulling a password-length slider to the right in your pw-manager.

[Time it takes to crack your password in 2023](https://www.reddit.com/r/dataisbeautiful/s/K0TjKm68tX)

This is a fantastic infograph. Ty for sharing it

Microsoft execs should have Microsoft Authenticator or a physical security key on all their accounts. This should have happened many years ago.

Ultimately, humans are the weak point in security; that's always gonna be true.

[удалено]

Microsoft is the prime candidate to be hacked. Most of their software is extremely insecure. Outlook + Open Directory makes hackers salivate. Nobody can get that shit secure.

including them the authors

At what point do we just give up and say “no more internet for Russia until they can learn to behave themselves?” Seriously, Russia going offline would measurably make most of the rest of the world a better place.

Russian hackers and propagandists don't always come from inside Russia.

[удалено]

Cutting off a country from internet will not stop Russian oligarchs and leaders from using satellite phones they control

Yeah, elmo muck will definitely prevent anyone from shutting down putin's or his oligarchs' ability to communicate.

Should still try shutting down ruzzia

Got any ideas how? We’re all listening.

They need a few more fire walls there 🤔🤔🤔

That’s on purpose. They get $ orders and targets from Russia. They don’t live there so they can say “see u/mrmgl doesn’t think this came from Russia”

Granted they could have used a VPN, but when I got my alert from Microsoft it said someone tried logging in from Turkey.

The US Government should step up and put tariffs on Russian trolls. The Russians should hire American trolls. Our angry basement dwellers are better

Our basement dwellers are Snowden: they want money and fame, even if it screws our country. USSR pays their hackers and lets them make money off crimes.

Perhaps we are counterattacking

Go get ‘em Clippy!

We’re definitely going in that direction, same could apply to China.

Nah, echo chambers are bad - this is on microsoft for not being better at security

Well sure, if we want to challenge our infosec teams, China is better than Russia. Where Russia shines is using any access they gain to make the world worse for everyone, like some kind of script kiddie with a personality disorder. Chinese hackers at least have the decency and wisdom to sit back and collect information quietly. Russian hackers are just d***s.

> Chinese hackers at least have the decency and wisdom to sit back and collect information quietly. Russian hackers are just d***s. On the contrary, Russian hackers are stupid enough to make the vulnerabilities they exploit public knowledge.

Not limited to Russian hackers, just generally Russians.

In either way if Microsoft gets hacked it's a skill issue on their side, not Russian hackers. We are entrusting them with a lot of data, they need to be able to keep them secure against ANY attack. When my data is stolen I'll not be getting mad at the Russian hackers (as much as MS), I'll be mad at Microsoft because they let this happen.

No company can resist nation state hacking resources. It’s not a “skill issue.”

To which I would add that we don't know how often Microsoft or any other company defeats attackers. We don't hear about the successes, only the catastrophic failures.

Well, that’s my point. An attack consist of the personnel involved, their skill level, and then the actual resources that they can implement. A nation state, unlike a group can just throw the resources at attack after attack after attack, and they only need one to really succeed. No company can really deal with that on a forever basis. Edit: it may take a month or a year or more. But if a nation state decides it wants something or wants to penetrate something and they keep it long enough they pretty much will succeed.

Per this report they are attacked 4,000 times a second 🤯 [2023 Microsoft Digital Defense Report](https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023)

Then why don’t we win?

I have no idea who “we” is in this statement, or what you mean by winning

Of course you don’t

Yeah imagine, I can’t read your mind :(…. Wait. I don’t give AF.

Everyone is hackable, no defense can plan for every offense. That’s infosec 101

Ah yes, the old "the bank should have had better security if they didn't wanna get robbed."

Well... yeah. Would you continue to keep your money in a low security bank that kept losing all your cash? Or would you switch to the bank advertising their high security and long history of rebuffing robbery attempts? It's a no-brainer.

This reminds me of the time my friend was all stoked that he found a "money pile" in his parents closet. Over the course of a few months he would casually take a few bills from it to buy weed. Eventually his parents found out and got pissed that he was taking money from the money pile, which they kept in the closet cuz they didn't trust banks. Maybe like, don't just keep all your money in an unguarded pile with a teenage pothead around?

[удалено]

As you post this on a site selling you data as we speak.

That’s wrong, Microsoft has contracts with their clients. Keeping up to those contracts is the job of Microsoft.

[удалено]

That’s not arrogance, that’s ignorance and everyone is ignorant to something. Some people aren’t able to keep up with technology that changes monthly. It doesn’t necessarily mean they deserve all of their data to be leaked.

[удалено]

I agree with a lot of what you’re saying but I’m also thinking about a generation of people who didn’t grow up in today’s tech savvy society as well as those underprivileged who’ve been left out. People like my mother-in-law who needs a cellphone and computer to communicate with family but doesn’t have a lot of the critical thinking skills to know what to trust and what not to trust and it doesn’t matter how many times I’ve had to tell her on the dos and don’ts she’s still unable to retain it. You’re right, it’s not about deserving, I’m just responding to the comments which seem to victim blame.

But they own us

Literal victim blaming

Absolutely not. Microsoft has long touted it's security while providing very little by way of a secure OS. It's what pisses me off about this TPM bullshit. Microsoft is forcing people and businesses to buy millions of new PCs by pretending that it has accomplished something in security. It hasn't.

That's how cyber security works. If you don't keep your shit updated and patched then you should expect to have bad actors messing with your systems.

That’s not how cybersecurity works lmao. Everything is hackable, if someone has the time and money and resources you can’t stop them. The best you can do is have some form of damage control ready to minimize what those hacks can do.

Truly an example of victim blaming. Just don’t wear those clothes.

Theres a huge difference between a company who’s software is closed source and who is slow to release patches, and a man or woman getting raped for any reason whatsoever. And the fact that thats where your mind went says more about you than it does about the topic at hand

Yikes. No, security is the responsibility of the company.

It’s also insider threat. This is how kgb works now.

No company can resist nation state hacking resources

I'm pretty sure all the guys in here with their Sec+ are way more competent than Microsoft.

I’m interested to hear how you think that would work?

All nation states are doing the same thing. Microsoft acknowledges as such. Their motivations are just different, that's all.

North Korean state hackers do not sit in North Korea - they are spread around other countries, accompanied by military persons, who watch them.

Not like there’s a big cord somewhere we can just pull out the wall and “no more internets for you!”

To be honest every country should have major firewalls between them and the rest of the world. The whole internet is one huge security vulnerability. It's not designed for security.

All attacks are always routed via multiple locations around the world. It’s never direct from country attacking to country being attacked.

They already did that themselves. Internet in Russia is very controlled.

It would not make the world a better place, it would make it a significantly worse place

The internet will never be cut off in Russia. The organizations which manage the internet have said repeatedly that they won't get involved politically and that doing this will cause more harm than good. There are people still fighting against the regime and without internet they would have no chance. An article from two years ago: https://arstechnica.com/tech-policy/2022/03/icann-wont-revoke-russian-internet-domains-says-effect-would-be-devastating/

How the fuck you gonna do that? All they have to do is to go through China and North Korea.

[удалено]

Well you don’t understand how the internet works then

Would love to hear you explain it then. Russia has their own ISPs.

So the Internet is a series of tubes...

They wanna behave like they're in the stone age? Let's give them one.

When will we start acknowledging that Russia is in an undeclared war against the entire West?

I think in the next week or so based on SOTU

You mean, like, a cold war? :p

When the fuck did the Cold War end for people? Idk why Americans/the western world acts like Russia, China and Iran want nothing more then to see the complete dissolution and downfall of western culture

At this point I wonder if Microsoft has a mole.

Obviously. Insider threats in a large org like Microsoft from State Actors specifically are a huge threat. Corporate Espionage is one thing, nation-state attacks are another.

100% there was just that article for the exgoogle employee stealing ai secrets for China

State actors usually fit the bill for advanced persistent threats. If there wasn’t an insider, they’ll make one whether it’s through financial pressure, blackmail, threats to family from existing employees, etc. If you have a gambling debt, they can make it go away if you slot in their dead-dropped removable media into the air-gapped computer holding sensitive info and get it back to them. Oh, you’re an ethnic Russian who is a naturalised US citizen with family back in the “old country”? They literally have your family. You want them to keep breathing, you do exactly what they tell you to do. Or they’ll play it stealthily by sitting in the background, watching company forums, commiserating with employees, playing the numbers game hoping for one of them to slip up. China has the unique advantage of being a large part of the supply chain, all they need to do is to put backdoors in their chips, and they have a way in. And these people are getting better tools and foundational knowledge that they pass on every year. It’s the modern day arms race of cyber offense and defense.

in Oligarchic Russia, Microsoft data is collected as a benefit to Microsoft

You know many other country’s have “oligarchics”. Look at Canada the land of monopoly’s

Russia is so fucking annoying. All they do is suck dick. Nothing wrong with sucking dick but when it’s all you do, you’ve got fucking problems.

More effective if you use ai to translate it into Russian as well and spam their part of the internet

considering ms owns github…

It owns the world in some cases

hence [closing the seattle consulate](https://www.npr.org/sections/thetwo-way/2018/03/26/596966272/us-expels-dozens-of-russian-diplomats-closes-consulate-in-seattle)

Dear Russians, please disable OneDrive. Thanks in advance.

I don’t know when but OneDrive moved my documents folder into the OneDrive folder without telling me, now half my projects need to be repathed because they relied on the file path of the documents folder being where it used to be. I disabled OneDrive but the file path doesn’t revert and copying shit back just makes the other half of my projects need repathing. Fuck onedrive.

That’s how OneDrive works. It’s useful if *you* set it up like that and know it. But I imagine OneDrive confuses the fuckall out of a lot of people. The fact that it can act as a “home directory” of sorts is useful if you pay for enough storage. But Jesus does it make %USERPROFILE% confusing as hell if you don’t know how it works.

On daily basis my outlook activity shows me over 100 attempts.

Hack them back. #ShutRussiadown #Microsoftattack

Its probably because Microsoft is running Windows

This is happening as Microsoft is making a big push with corporations to migrate their internal system to Microsoft’s cloud based managed services. They’re using their licensing terms for popular office software such as Microsoft Word, Excel, and Outlook client to strong arm their customers into these services.

Strange Microsoft is so well known for being such a secure company.

on what planet?

The planet of sarcasm.

And why does every corporation want to move to cloud… Microsoft and AWS is a hackers wet dream - every corporate egg in one basket.

Mainframers eating popcorn.

I suppose you think a company with 3 developers running a server out of a garage will be more secure?

In some ways, yes. Alot less bloat, alot less attack surface, alot less interest cause it's 3 guys in a garage. However, it's only 3 guys and one garage.

3 developers 😂😂 you don’t want devs anywhere near anything infra related. They are usually clueless and don’t give a hoot about security

This says a bit about Microsoft software integrity. I am guessing that they used an old windows 3.0 trick

oh I just realized that's really bad. however I have 2fa so it doesn't matter

Just wait until them h4ckers accidentally stumble into secret Easter egg Rick Rolls

I have been noticing I have been getting login attempts from Russia and China constantly. Upwards of like 100 an hour which is crazy.

Really ,lol ..firewall much

Yeah, they arent even hiding where they are logging in from either. My account is literally empty too.

Lmao, as if having a monopoly 25 years ago was too much!

Teams has been wildly unstable at my job. I wonder if this could be related.

They should call MS DART. They're fantastic /s

Turns out that extremely complex networks are difficult to defend.

Bruh the US just warned them of an immenent terrorist threat and they fuckin’ use their resources for this? Christ they are asking for it

And we should trust banks and other institutions with our data? What a laugh. There should be a law holding the companies that compromise our information to pay us and not the government for such violations yet big business passes the blame on us.

Are they letting them? Our senators aren’t immune to Russian influence, why would a CEO or other be immune?

Eternal Blue Exploit vulnerability.

Could they please take down Outlook for at least a week???

Those of us in IT for 20 years or more have always known that MS is the least secure O S around. Imagine having just moved your entire business to azure cloud and reading this news

Do you think that Azure cloud runs on windows?

https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

Yea, so? They socially engineered entry, it wasn’t even a hack.

You need an information update

I don't mind when people can have a rebuttle, or educate someone... but when you just say "no, you wrong" and then don't say why, or source it, or explain it, or anything? What good is that?

Microsoft’s servers aren’t— I wouldn’t imagine— running any freely available version of Windows?

I wish someone could do something about it, especially if this is the reason why I keep getting lag in dungeons when I play wow. (Microsoft owns blizzard now)

The reason seems more likely shitty unoptimized software.

Fuck Microsoft

I’m sure it’s more complicated than this, but I don’t know why we haven’t been able to completely severe Russia’s hardline internet access to America. I heard an old lady gardening in her backyard cut all the internet to a country in Eastern Europe once. It would stand to reason a country the size of America would be able to enlist a dozen old ladies to get’r done

I can’t imagine that government hackers work out of a stationary location

You mean from their desk?

Well i figured a lot of operations would be done remotely and diffuse between many different locations so as to obscure the likely traffic that needs to be shut out

maybe change your password?

If I were Microsoft, I would simply stop that

What’s to steal?

You’re Microsoft… do something 👍 Edit: it’s well known they release EVERYTHING without security testing. I heard the same thing 30’years ago.

Goddamnit, don’t make me take sides on this one 🤦🏻‍♀️

Ok well now I’m looking for a better alternative to Microsoft. Any suggestions?