Advintel cybersecurity experts: Malware operators now target exposed RDP connections to gain an initial foothold and exploit CVE-2018-8453 and CVE-2019-1069.
Technical Analysis by the Malware Hunter JAMESWT
I discover from Microsoft that I have a recognized account, but that does not exist
I received an email from Microsoft on Gmail, explaining that the password for the Microsoft account name firstname.lastname@example.org (which corresponds to my address on Gmail) has been changed.
However, I don’t have that account name. This, in fact, is just the recovery email address of 2 other Microsoft “@ outlook.com” accounts. Intrigued, I try to log in with email@example.com. The username is accepted and the password must be entered.
Not having it, I request a “password recovery”, but I am informed that the username does not exist.
How is that possible if it has just been accepted it? Suspicious, I decide to investigate the matter.
By carrying out some tests, I found that by creating my account again, other phone numbers appear associated with it. What happens?
First, I check the aliases linked to the Microsoft account firstname.lastname@example.org. Here I find my phone number, the 2 Microsoft accounts “@ outlook.com” and a number I don’t know: +63 9283791071. I change the recovery emails, remove the existing ones and then create a new account with the name “Indicted”, since it does not exist. Here too comes a surprise: Microsoft warns me that it is possible email@example.com is already being used by another account.
I continue the same and create it, entering my personal data and password. After completing the process successfully, I try a new test: I ask what are the usernames (aliases) associated with my new account. The answer is disconcerting. There is the phone number I entered, but also +63 9283791071.
Moreover, using this number, you can reset the password.
Microsoft unveals the mystery, but only in part
How is this possible? Microsoft has justified the anomaly with some considerations. First of all, there is the fact that the firstname.lastname@example.org email account was probably created in the past, but the owner may not have used it for too long and the system has formally closed it. This, however, has not been canceled. Hence the message that it “may already be in use”. Additionally, Outlook can use a third-party email or domain such as Gmail to recreate the account. However, the question of the telephone +63 9283791071 remains unresolved. Moreover, this alias appears only to the user and not to the help desk. By the way, they advised me to ask to delete the profile marked with that number. How is it possible that an alias and / or an @gmail recovery email can become a Microsoft account without a confirmation code arriving at the email used to continue? perhaps in the past it was not necessary? I think the ensuing problems are evident. What is some bug related to aliases / accounts created with usernames / emails other than outlook.com or hotmail?
The chat with the Microsoft Support