MS account, IMAP automatic sync with unsuccessful sync

kmax86 · 17 Nov 2019 at 12:33

Hi

Was doing some security checks and noticed that my MS account is getting quite a few unsuccessful syncs via IMAP sync from Asia.

MS says "Don’t worry. This sign-in attempt was unsuccessful, so there is no need to change your password". Googled around but Im getting mixed answers from it is all good to Im screwed.

My question is, is this an attacker attempting to sync using only the email address? I have 2FA enabled but and Im not getting prompts for the code.

Or is it too late and the email has been compromised ?

the-evaluator · 17 Nov 2019 at 13:02

An MFA OTP will only be sent once a successful password authentication has happened so if you’re not getting an OTP sent through you’re fine.

I’d say there’s nothing to worry about but if you’re worried then change your password anyway and use a unique password. Also, if you’re not using IMAP yourself then consider disabling it on your account. Ditto for POP3.

kmax86 · 17 Nov 2019 at 13:18

Thanks, I looked around it seems only POP can only be disabled for outlook web and its already disabled.

No options for IMAP it seems.

Also looked further and see nothing suspicious like connected devices and auto mail forward.

Passwords already been changes so I guess just have to be vigilant and keep monitoring.

Django x2 · 18 Nov 2019 at 12:11

Is this a normal MS account or Work?

IMAP and POP fall under the same conditional access policies for MFA and MS disable pop and IMAP on their Outlook systems by default, so you really don't need to worry.

kmax86 · 18 Nov 2019 at 21:02

Normal web outlook non business.

Looks like IMAP is enabled based on the settings i see on outlook web

Jono8 · 1 Mar 2020 at 15:19

kmax86 said:
Hi

Was doing some security checks and noticed that my MS account is getting quite a few unsuccessful syncs via IMAP sync from Asia.

MS says "Don’t worry. This sign-in attempt was unsuccessful, so there is no need to change your password". Googled around but Im getting mixed answers from it is all good to Im screwed.

My question is, is this an attacker attempting to sync using only the email address? I have 2FA enabled but and Im not getting prompts for the code.

Or is it too late and the email has been compromised ?

Have you noticed that this stopped eventually ( sorry for thread necro, i just googled this and it came up)?

I have noticed that this is happening to mine every few days from a different region of the world (china, thailand, russia , trinidad...) someone is trying to IMAP sync to one of my outlook accounts.

I use a unique password (which was changed fairly recently) for my email and two factor authentication so i doubt they can get through but it is a bit unnerving.

I don't suppose there is anything i can do though? Presumably they got my email and some sort of old password from some account i had on some website years ago from some data breach.

What is odd though, is that why do they keep trying?

kmax86 · 1 Mar 2020 at 18:19

Hi, I managed to make the IMAP sync attempts stop by changing my sign-in alias.
After changing it, the sync attempts have stopped according to the sign-in activity.

The bots are prbbly brute forcing the email with random passwords is my guess.

Shinzra · 13 Apr 2020 at 11:29

Hello, apologies for also commenting on the post. I have also noticed a similar unsuccessful sign in attempt from countries abroad. What exactly does the Alias do, and how does the account change if you change the alias?

kmax86 · 13 Apr 2020 at 15:39

Shinzra said:
Hello, apologies for also commenting on the post. I have also noticed a similar unsuccessful sign in attempt from countries abroad. What exactly does the Alias do, and how does the account change if you change the alias?

https://support.office.com/en-gb/ar...look-com-459b1989-356d-40fa-a689-8f285b13f1f2

alias is just what the name suggests. 1 email account can have multiple aliases and they share the inbox and such. The link above explains it in detail.

When you have aliases you can pick which aliases are allowed to be used as a login

Minxy · 16 Jul 2020 at 21:54

Apologies for commenting on an old post but I’ve had an unsuccessful IMAP sync from Vietnam. I’ve changed my password and I already had 2FA switched on. Do I need to be worried that someone has got into the account and is there anything more I can do to secure it please?

the-evaluator · 17 Jul 2020 at 07:08

I wouldn't worry. If it was unsuccessful and you have MFA enabled then you're fine.

If you're not actually using IMAP then it's worth disabling it.

Minxy · 17 Jul 2020 at 13:06

the-evaluator said:
I wouldn't worry. If it was unsuccessful and you have MFA enabled then you're fine.

If you're not actually using IMAP then it's worth disabling it.

Thank you. I did look for that but I couldn’t see a way of doing it. You can disable POP which appears to already be done.

the-evaluator · 17 Jul 2020 at 13:21

It seems you can't disable IMAP. How odd!

kmax86 · 17 Jul 2020 at 14:03

Iirc only outlook for business or enterprise can disable IMAP sadly