Question Outlook suspicious login attempt on never used email adress

Please provide comments and solutions that are helpful to the author of this topic.
Moonhorse

Moonhorse

Level 40
Thread author
Verified
Top Poster
Content Creator
Well-known
Forum Veteran
May 29, 2018
2,912
1
16,442
3,880
32
Finland
So just 30 minutes ago while sleeping my phone alerted me of suspicious login on outlook.com. I blocked the attempt and instantly changed my password with bitwarden random password.
Also i ran kvrt on desktop, all my devices chromebook, phone, desktop were re-installed like a week ago, and has nothing installed on them

I have never used this email anywhere, only for outlook.

I went to outlook settings and there was no data of login attempt in place where you usually see login attemps.....

My question is that edge on android doesnt clear cookies and i have to manually do that, and on outlook.com it showed me all those sites visited etc. Is it possible that i got ''hijacked'' throught cookies?

I have been ages on MalwareTips, but im casual user when it comes into cyber security, apologies but im little in panic :unsure:
 
  • Like
  • Wow
  • Sad
Reactions: TairikuOkami, Sorrento, Khushal and 6 others
Moonhorse said:
So just 30 minutes ago while sleeping my phone alerted me of suspicious login on outlook.com. I blocked the attempt and instantly changed my password with bitwarden random password.
Also i ran kvrt on desktop, all my devices chromebook, phone, desktop were re-installed like a week ago, and has nothing installed on them

I have never used this email anywhere, only for outlook.

I went to outlook settings and there was no data of login attempt in place where you usually see login attemps.....

My question is that edge on android doesnt clear cookies and i have to manually do that, and on outlook.com it showed me all those sites visited etc. Is it possible that i got ''hijacked'' throught cookies?

I have been ages on MalwareTips, but im casual user when it comes into cyber security, apologies but im little in panic :unsure:
Click to expand...
It is possible for a stolen session cookie to be abused, but based on what you described, that is not something you can confirm safely from this alone.

A suspicious login alert does not automatically mean malware or cookie theft. In many cases, it is simply:

  • Someone trying an old/leused address and guessing passwords
  • Credential stuffing from another unrelated breach
  • An automated login attempt that Microsoft blocked before a full sign-in happened
  • A false-positive or unusual-sign-in alert caused by location/IP reputation

The fact that:

  • You changed the password immediately
  • You blocked the attempt
  • Your devices were recently reinstalled
  • You do not see a successful sign-in in account activity

is more reassuring than alarming.

About cookie hijacking

In general, cookie/session theft is usually relevant when:

  • A device is already compromised by malware
  • A malicious extension/app can access browser session data
  • You were tricked into logging into a fake page

Just not clearing cookies often is not by itself evidence of hijacking. Cookies staying in Edge on Android does not mean they were stolen. A session can only be abused if something actually extracted that session token from the device.

Also, if the attacker only tried to log in with your password from elsewhere, that points more toward a password attack than cookie theft. A stolen valid Outlook session often behaves differently, and Microsoft account security logs do not always show blocked/partial events in the way users expect.

What to do now

Do the low-risk checks first:

  1. Keep the new Bitwarden-generated password.
  2. Make sure 2FA/MFA is enabled on the Microsoft account.
  3. Check the Microsoft account recent activity page again from a trusted device.
  4. Check security info and make sure no unknown recovery email, phone number, or device was added.
  5. Check whether any app passwords, forwarding rules, or connected apps exist that you do not recognize.
  6. Sign out of all sessions/devices from the Microsoft account security settings if that option is available.

Device-side checks

Since you are worried about compromise, use standard checks rather than guessing:

  • Run a full scan with Microsoft Defender on Windows, not only KVRT.
  • Make sure Android apps are only from Play Store and review installed apps for anything unfamiliar.
  • Review browser extensions/add-ons on every device. Extensions are a more realistic risk than ordinary cookies.
  • Update Windows, Android, Edge, and ChromeOS fully.

Important perspective

If this email address was only used for Outlook, that lowers some common exposure paths, but it does not eliminate them. Email addresses can still be guessed, leaked indirectly, or targeted randomly. So the alert alone does not prove your devices were breached.

Best conclusion

Right now, the safest interpretation is: treat it as a blocked account login attempt unless you find evidence of a successful sign-in, unknown account changes, or suspicious apps/extensions.

If you want stronger reassurance, the next sensible step is to review Microsoft account security settings carefully, enable MFA if not already enabled, and run full scans on the desktop with Defender in addition to KVRT.
 
  • Like
Reactions: Sorrento and Moonhorse
Moonhorse said:
So just 30 minutes ago while sleeping my phone alerted me of suspicious login on outlook.com.
Click to expand...
You should elaborate the details of the alerts you got.

For example, Microsoft allows you to sign into your account via approval in the Microsoft Authenticator app. Someone who only knows your email or login aliases can trigger a prompt in the Authenticator app for you to approve. Just knowing your email or login aliases would let an attacker do this.

You can check your sign-in activity at: https[:]//account.live.com/Activity . Unsuccessful attempts are also logged.

If your session cookies were stolen (which implies malware on your machine), an attacker could read your email with the right setup without triggering any notifications on your phone.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Jonny Quest, TairikuOkami, Sorrento and 5 others
Zero Knowledge said:
Credential stuffing attack is my bet. Or a targeted attack using breached email/username/password. Probably spray and pray attacks.

Have you signed up for any services financial or what not with this outlook email?
Click to expand...
Its like 5+ years old email address i havent used it anywhere else than syncing microsoft windows + edge + microsoft launcher. i have burner emails for other stuff
lokamoka820 said:
Is your actual name used in the email, such as firstname.lastnamed@outlook.com? If so, I believe someone who knows your name is attempting to hack your email. If the login attempt failed, don't worry; if you have a strong password and 2FA enabled, login attacks occur frequently but rarely success.
Click to expand...
its not actual name used in email, its long word with ''dialect?'' . password is done with bitwarden now , long / hard one and 2FA enabled everywhere

Wrecker4923 said:
You should elaborate the details of the alerts you got.

For example, Microsoft allows you to sign into your account via approval in the Microsoft Authenticator app. Someone who only knows your email or login aliases can trigger a prompt in the Authenticator app for you to approve. Just knowing your email or login aliases would let an attacker do this.

You can check your sign-in activity at: https[:]//account.live.com/Activity . Unsuccessful attempts are also logged.

If your session cookies were stolen (which implies malware on your machine), an attacker could read your email with the right setup without triggering any notifications on your phone.
Click to expand...
when i try login myself into my email, first thing it does it let me only click to send code to my phone, that gives me alert like i got in middle of night and denied. ( it said im trying to login from usa)

As you said someone just knows my email / login it seems they can trigger the alert and this was the case indeed

when i go to check sign-in activity i dont see the attempt from usa, even it should show up as denied
Jonny Quest said:
@Moonhorse I didn't "Like" your post for what you're going through, but for what you had done and questions asked, and in this case, it was also a good idea to get Bots advice as well.
Click to expand...
No worries :)

edit 1 : also my email doesnt pop-up in any data breach page
 
Last edited:
  • Like
  • Applause
Reactions: lokamoka820, Jonny Quest, Sorrento and 2 others
Moonhorse said:
when i go to check sign-in activity i dont see the attempt from usa, even it should show up as denied
Click to expand...
Microsoft sometimes changes how they show login attempts. It can be inferred in your case that they don't show the failed sign-in approval request. I tried mine using the wrong password — they didn't even show that.

We are not alone; apparently Microsoft may have changed how they show those attempts recently:

learn.microsoft.com

Have microsoft changed the behaviour of the "See your recent activity" page of your microsoft account to only show successful attempts? - Microsoft Q&A

Hello In the past when I have checked this page it would show me all successful and unsuccessful attempts at logging into my account. Today, I got an authenticator notice to approve a log-in attempt I did not initalise myself (turned out it probably was…
learn.microsoft.com
 
  • Like
  • Wow
Reactions: lokamoka820, Jonny Quest, Zero Knowledge and 2 others

You may also like...