Helping a friend with a hacked outlook.com mailbox

Last week I received a phone call from a friend of my brother. She was desperately seeking help from her sister who had fallen victim of a stalker who had hacked her outlook.com mailbox. The villain was vocally bashing the sisters, threatened to pay a visit and had started ordering luxury items with post-pay services from the mailbox.

At the time, this friend called me, she already reset the password on the mailbox. But that did not keep the hacker from accessing the mailbox. He even rudely replied in a conversation between the sisters and told them to not make changes to the password anymore. In revenge the hacker deleted all items in the mailbox.

The request for help sounded like a challenge to me. The first action I proposed was to once again change the password and enable multi-factor authentication for the Microsoft Account. That did not throw the hacker out of the mailbox. But by the time we get him out, it will surely be much harder for him to get back in.

Microsoft has a document online that outlines steps to take when a mailbox on outlook.com gets hacked. The following steps in the document proved to be useful:

1. The link in the document enabled us to restore the mails that the hacker removed from the mailbox.
2. The link to the rules settings in the mailbox proved that the hacker was more advanced than I had expected. There was a list of over 30 mail addresses set to be forwarded to a Gmail address that belonged to the hacker.

Other tips to check for connected accounts and automatic replies had not been altered in the mailbox.

This is where the support documentation fell short. First of all, the document did not tell that it is a good idea to enable multi-factor of passwordless authentication.

?Next, I disabled the legacy protocols, SMTP and POP for the mailbox. Most users will not use these to access their mail anymore. They also provide a way to evade multi-factor authentication, as both POP and SMTP do not support modern authentication.

The hacker is still in the mailbox. What now?

The biggest issue at this moment was that the hacker still had access to the mailbox.

This is where I started to check out security settings for the Microsoft account with the mailbox in account.microsoft.com. From here, choose Security and open the Security dashboard.

In the section Advanced security options I noticed that at least one App password had been created. This is a really convenient backdoor to evade multifactor authentication and persist access even when the owner of the account did password reset.

I clicked Remove existing app passwords.

The last step to definitely kick the hacker out, was by clicking Sign me out on the same Advanced security page. This will?end all current sessions from browsers, apps and other locations within 24 hours.

We used the information from the forwarding rule and the logon history to report the case at the police. Unfortunately we did not find the suspects IP address in the list of recent logon activities. The police may get more information from the store where the items were ordered.

The mail address we found in the forwarding rule was already known at the police from a previous case where the victim got so desperate that they were already negotiating a ransom in order to end the stalking. That shows how deep these actions can penetrate peoples lives.

I was happy that I could help to get the hacker out and hopefully this write down will help someone once to get a hacker out.