Advice Request Outlook and multiple login attempts.

Please provide comments and solutions that are helpful to the author of this topic.
nickstar1

nickstar1

Level 18
Thread author
Verified
Top Poster
Well-known
Dec 10, 2022
853
4,187
1,668
Recently, I have been receiving multiple suspicious login attempts on my Microsoft Outlook account. It appears that someone or some type of bot has been trying to brute-force my password, which repeatedly caused my account to become temporarily locked. Fortunately, they were never able to gain access because Microsoft’s security protections automatically blocked the attempts.

To improve security, I was advised to change my account alias so the attacker would no longer know the correct login information. After changing the alias, the failed login attempts stopped and my account is no longer being locked, which suggests it helped disrupt the attacker’s script or automated attempts.

This issue only started happening recently, and although no unauthorized access has occurred, the repeated attempts are concerning. One thing I noticed, however, is that I am still able to log in using both my old and new email aliases, which makes me unsure whether the old login information is still active or fully disabled. The account locks have stopped fortunately enough so that's positive.
 
Last edited:
  • Applause
  • Like
Reactions: Halp2001, simmerskool, Khushal and 1 other person
nickstar1 said:
Recently, I have been receiving multiple suspicious login attempts on my Microsoft Outlook account. It appears that someone or some type of bot has been trying to brute-force my password, which repeatedly caused my account to become temporarily locked. Fortunately, they were never able to gain access because Microsoft’s security protections automatically blocked the attempts.

To improve security, I was advised to change my account alias so the attacker would no longer know the correct login information. After changing the alias, the failed login attempts stopped and my account is no longer being locked, which suggests it helped disrupt the attacker’s script or automated attempts.

This issue only started happening recently, and although no unauthorized access has occurred, the repeated attempts are concerning. One thing I noticed, however, is that I am still able to log in using both my old and new email aliases, which makes me unsure whether the old login information is still active or fully disabled. The account locks have stopped fortunately enough so that's positive.
Click to expand...
What you are seeing is consistent with a common Microsoft account attack pattern: attackers keep trying known email addresses, and changing the sign-in alias can reduce the noise if the old address is no longer usable for sign-in.

What likely happened

If the lockouts stopped after the alias change, that usually means the attacker was targeting the old sign-in name specifically.

However, if you can still sign in with both the old and new aliases, then the old alias may still be enabled as a sign-in alias. In that case, it is not fully “hidden” from authentication, even if the visible primary alias changed.

What matters most

Changing the primary alias alone is not always enough.

For a Microsoft account, the safer setup is usually:

  • Create a new alias
  • Set it as the primary alias
  • Disable sign-in for the old alias, or remove it if you no longer need it

If the old alias is still allowed for login, then an attacker who knows it can still keep trying passwords against it.

What to check in your Microsoft account

Go to your Microsoft account alias settings and review which aliases are allowed for sign-in.

You want to confirm one of these states:

  • The old alias is removed completely, or
  • The old alias still exists for mail delivery but sign-in is disabled for it

If Microsoft still accepts the old alias at login, then it is probably still active for authentication.

Other important protections

Even if no one got in, I would still recommend the standard hardening steps:

  • Use a strong, unique password that is not reused anywhere else
  • Make sure two-step verification is enabled
  • Prefer an authenticator app or security key over SMS if possible
  • Review recent sign-in activity in your Microsoft account security page
  • Check recovery email addresses and phone numbers to make sure they were not changed
  • Generate and store backup recovery codes if available

A practical note about “brute force”

In many cases, these are not true targeted brute-force attacks against only one person. Often they are automated credential-stuffing or password-spraying attempts using leaked email addresses from old breaches. That does not make it harmless, but it does mean the attacker may simply be testing a known address at scale.

If the old alias still works

Then I would not assume the problem is fully solved yet. The next step would be to disable sign-in for that old alias if you still need to keep it, or remove it if you do not.

Conclusion

The fact that the lockouts stopped is a good sign, but if both aliases still work for login, the old one is probably still active in some form. The safest approach is to verify your alias sign-in settings, disable login on the old alias if possible, and keep MFA enabled.
 
  • Like
Reactions: Halp2001
Yeah, I wonder how adding another alias could have helped you as well, since your old alias (presumably your email address) is still active. On my Microsoft account, which doesn't have an Outlook address, I can add a new alias and completely delete the old one, preventing logins with the old alias altogether.

In your case, I would have guessed the attackers just stopped trying for whatever reason, but these big services' rate-limiting and anti-brute-force measures (especially Google and Microsoft, which must be getting constant attacks) are a bit opaque, leaving many possible explanations.
 
  • Like
Reactions: Halp2001, simmerskool, Khushal and 2 others
Bot said:
What you are seeing is consistent with a common Microsoft account attack pattern: attackers keep trying known email addresses, and changing the sign-in alias can reduce the noise if the old address is no longer usable for sign-in.

What likely happened

If the lockouts stopped after the alias change, that usually means the attacker was targeting the old sign-in name specifically.

However, if you can still sign in with both the old and new aliases, then the old alias may still be enabled as a sign-in alias. In that case, it is not fully “hidden” from authentication, even if the visible primary alias changed.

What matters most

Changing the primary alias alone is not always enough.

For a Microsoft account, the safer setup is usually:

  • Create a new alias
  • Set it as the primary alias
  • Disable sign-in for the old alias, or remove it if you no longer need it

If the old alias is still allowed for login, then an attacker who knows it can still keep trying passwords against it.

What to check in your Microsoft account

Go to your Microsoft account alias settings and review which aliases are allowed for sign-in.

You want to confirm one of these states:

  • The old alias is removed completely, or
  • The old alias still exists for mail delivery but sign-in is disabled for it

If Microsoft still accepts the old alias at login, then it is probably still active for authentication.

Other important protections

Even if no one got in, I would still recommend the standard hardening steps:

  • Use a strong, unique password that is not reused anywhere else
  • Make sure two-step verification is enabled
  • Prefer an authenticator app or security key over SMS if possible
  • Review recent sign-in activity in your Microsoft account security page
  • Check recovery email addresses and phone numbers to make sure they were not changed
  • Generate and store backup recovery codes if available

A practical note about “brute force”

In many cases, these are not true targeted brute-force attacks against only one person. Often they are automated credential-stuffing or password-spraying attempts using leaked email addresses from old breaches. That does not make it harmless, but it does mean the attacker may simply be testing a known address at scale.

If the old alias still works

Then I would not assume the problem is fully solved yet. The next step would be to disable sign-in for that old alias if you still need to keep it, or remove it if you do not.

Conclusion

The fact that the lockouts stopped is a good sign, but if both aliases still work for login, the old one is probably still active in some form. The safest approach is to verify your alias sign-in settings, disable login on the old alias if possible, and keep MFA enabled.
Click to expand...
I’ve disabled login with my old email and now use my new one as the primary. I unchecked the old address completely and tested signing in with it, but it didn’t work. That means it won’t work for the hacker either, and the script they used to launch attacks is now broken.
 
  • Like
  • Applause
Reactions: Halp2001, simmerskool, Khushal and 1 other person
nickstar1 said:
I’ve disabled login with my old email and now use my new one as the primary. I removed the old address completely and tested signing in with it, but it didn’t work. That means it won’t work for the hacker either, and the script they used to launch attacks is now broken.
Click to expand...
Yes, that is the important part.

If the old alias has been removed or sign-in with it is disabled, and your own test confirms it no longer works, then an attacker using that old address should no longer be able to authenticate against your Microsoft account with it.

What this means in practice

  • Their old automated login attempts against that address should fail at the username stage
  • That usually stops the account lockout cycle tied to that known alias
  • It also reduces the value of the old email address as a sign-in target for your account

So in that sense, yes, the attack method they were using against the old login name is effectively disrupted.

Important limitation

This does not mean the account is now impossible to target.

It only means the attacker can no longer use the old alias to try signing in. If they somehow learn the new sign-in alias, they could start trying again. That is why the alias change helps mainly by removing a known login identifier.

What still matters

Keep the rest of the account protection strong:

  • Use a unique password
  • Keep two-step verification enabled
  • Prefer an authenticator app or security key if possible
  • Review recent sign-in activity from time to time
  • Keep recovery options current and secure

Conclusion

Based on what you described, the old login route is closed, and the specific script or automated attack that depended on that old alias should no longer work against your account. That is a meaningful security improvement.
 
  • Like
Reactions: Halp2001
Wrecker4923 said:
Yeah, I wonder how adding another alias could have helped you as well, since your old alias (presumably your email address) is still active. On my Microsoft account, which doesn't have an Outlook address, I can add a new alias and completely delete the old one, preventing logins with the old alias altogether.

In your case, I would have guessed the attackers just stopped trying for whatever reason, but these big services' rate-limiting and anti-brute-force measures (especially Google and Microsoft, which must be getting constant attacks) are a bit opaque, leaving many possible explanations.
Click to expand...
You have the option to disable logins with the old alias and only allow logins with the new one, preventing the attacker from accessing your account since they don’t know your new email alias.
 
  • Like
Reactions: TairikuOkami, Halp2001, simmerskool and 4 others
I had the same problem earlier this week, it was just login prompt to my phone once... i changed all major passwords and just scanned computer > clean install and wiped phone too. Nothing suspicious after that one login attempt.

There has been same kind of issues when reading reddit, about this case.
 
  • Like
  • Applause
Reactions: Halp2001, simmerskool, Khushal and 1 other person
Moonhorse said:
I had the same problem earlier this week, it was just login prompt to my phone once... i changed all major passwords and just scanned computer > clean install and wiped phone too. Nothing suspicious after that one login attempt.

There has been same kind of issues when reading reddit, about this case.
Click to expand...
For the record, I’ve always known my account was exposed, but the attackers didn’t have my password or 2FA codes. It seems they’re stepping up their game with bot attacks against leaked account info. I use this email to collect phishing attempts, but apparently they realized I was reporting and blacklisting them, which probably annoyed them. No worries though we have tools to protect ourselves from these kinds of attacks. They failed miserably in their attempt to access my account, but they tried so hard that they ended up locking it, preventing me from logging in to make changes to stop the attacks. I used one of my recovery codes to log in and adjust the setting that was disrupting the attacks. I’m mainly sharing this so others might find it helpful in stopping similar issues.
 
  • Like
Reactions: Halp2001, simmerskool and Khushal
Sorrento said:
As above it seems you are not alone here lately, my wife & sister-in-law have had similar issues.
Click to expand...
Definitely have them change the alias and setup 2fA and any and all protections available to them. These scripts will not stop until they obtain your password combination. They will do whatever it takes even if it takes years because they can access everything with your email login and password.
 
  • Like
  • Hundred Points
Reactions: Halp2001, simmerskool, Khushal and 1 other person
Publicly unknown exploit/vulnerability for Outlook or an undisclosed breach has happened. Too many posts/threads about this issue to discount it.

Years ago there was this guy selling access to any Hotmail/Outlook account for $20 on a hacking forum. Same thing could be happening.

Most likely unknown breach since the brute forcing/credential stuffing attempts and notifications.
 
  • Like
Reactions: Moonhorse, simmerskool and nickstar1
Zero Knowledge said:
Publicly unknown exploit/vulnerability for Outlook or an undisclosed breach has happened. Too many posts/threads about this issue to discount it.

Years ago there was this guy selling access to any Hotmail/Outlook account for $20 on a hacking forum. Same thing could be happening.

Most likely unknown breach since the brute forcing/credential stuffing attempts and notifications.
Click to expand...
I have another scenario that I think could be possible. The person who now has my old phone number appears to live in the U.S. and uses T-Mobile as their carrier. I traced the number, and something about the situation doesn’t sit right with me. They wont be able to access any of my accounts because I secure them with strong protections. However, I’ve started wondering whether the person who received my old number could be involved in cybercrime and may not realize that I’ve been involved in cybersecurity and security research since I was 13 years old back in 2007.

The reason I suspect this is because when I logged into one of my old accounts, a notification was sent to their phone number. Shortly after that, my account started getting locked repeatedly, which feels like a strange coincidence. Maybe if I run more tests to confirm they attempted to gain unauthorized access to my accounts, I could report them to the authorities, especially since they are in the US and that’s a big no-no here. Especially if they have inappropriate cyber tools to launch attacks that could be proven in court with a warrant.
 
Last edited:
  • Like
Reactions: Moonhorse and simmerskool

You may also like...