1
1
Someone recently sent emails from a third-party email address (spoofed to look like me) to a number of contacts of mine.
The only place that contact list the email drew from could have come from was from my outlook.com contacts, so I suspect my outlook.com account has been accessed in some way.
It's important to know how the hacker got access to my contacts. If it was a cookie/XSS attack, then just changing my password, etc. (which I've already done) will take care of it. If it is malware, I may need to re-install my PC if anti-malware software can't find and fix it. It ~feels~ like a cookie/XSS attack since my outlook.com account password was not changed and the emails weren't sent from my account, which would have caused them to pass more spam filters.
I looked at my recent account activity at:
and I saw a number of logins over the past month from my home IP address with these details:
Device/platform: Windows
Browser/app: Internet Explorer
I don't use Internet Explorer, and one of the logins was at 3 am, which is unlikely to have been when I was accessing my PC. I do have my Windows 8 password sync'd to my live.com account, which might explain these random logins.
Can this account activity be explained by Windows 8 waking up in the middle of the night, or is it a definite sign of malware if I wasn't at my keyboard when the event happened? Does Windows 8 login show up as Internet Explorer in the account.live.com/activity page or is it definitely Internet Explorer that logged into my account?
David Gladfelter
Posted 2014-03-17T15:52:43.923
Reputation: 111
1If you have no activity outside of your local region its more likely some default Windows 8 Windows Store application is to blame because I have been unable to replicate the behavior you describe using my virtual machine only when I use IE does the recent activity get updated. – Ramhound – 2014-03-17T16:09:28.317
Thanks, I'll look into uninstalling everything I can from the windows store if I can't find malware. – David Gladfelter – 2014-03-17T16:13:21.443
I couldn't find any malware via Windows Defender and by searching event logs, running processes, etc. The event logs did have some correlations with the login events. One was tied to a windows error reporting event, and many were tied to profile synchronization. I detached my Windows login from my live.com account, so in the future the recent activity page should be usable for account hacking detection. – David Gladfelter – 2014-03-18T18:42:41.747