Mark approached me with a concerning request — he had observed multiple unsuccessful login attempts on his Microsoft email account. These attacks came from unlikely locations:
He wondered if I could offer any assistance in stopping these attacks. He was concerned that given enough attempts, the attacks might eventually become successful. Further attacks could lead to potential compromise of his email account.
Since Mark’s screenshots also included the IP addresses of the unsuccessful login attempts, we leveraged our Watchdog service to issue “TakeDown notices” and alert the network administrators of the malicious activity emanating from their networks.
With a stroke of luck, most network security administrators will act on these abuse alerts. It will trigger an investigation and eventually to remediation of the attacks on their end.
Most attacks come from either compromised servers and/or free to use servers. The abuse emails (takedown notice) alerts that we send are Indicators of potential Compromise. In most cases, the security admins understand the implications and will act accordingly. Remediation will put a stop to further login attempts. This is the typical course of action taken.
And on a happy note, Mark gave me a great feedback:
“Just to let you know that my Microsoft account is not getting attacked anymore. Last one was on March 26. I think that’s about the time you reported it.”