SOLVED

OTP

Occasional Contributor

Hi:smile:

 

I just wanted to share this thing. I mean we all are aware that passwords are lame. It can be easily just hacked by a malicious individual. Then came the one time pin. We felt secure by this. Either by our recovery email or on our registered mobile number. Then we get comfortable doing almost everything of our transactions online. Relative to using Microsoft 365 as provided by our office org. in which we are really handling confidential information. I already reported this to  I.T.  team or our org. They replied by saying ,"Did you try it?" I was thinking were they(local I.T team) also curious about this but nah, I don't think  my org will allow such curiosity to play along when our work handle confidential information, video recordings  and meetings. It happened several times. Just a while ago, I received this.298597394_810365323473258_883708777290449735_n.jpg298461620_575572260782652_6712077118798401757_n.jpg You can tell the difference. Both works, but what I've noticed from the second picture as I've open my email it route me to "my account is at risk" so I immediately signed out. I'm gonna changed my password. I'm thinking of this. I don't know but I just wanted to share this.

 

Lovelots guys,

Pauline

4 Replies

@Pau15 

I assume, your accountis at risk. the second screenshot is very strange. Looks like a pishing attack.

You should inform your security master of desaster and ask, what is happened.
Azure currently is moving forward, fast, with authentication, OTP is legacy. passwordless will the next level. You can use passwordless with WHfB, with FIDO, with SmartCard, and with MS Authenticator App password-less signin. All three must be configured by your admin team.

 

I informed them already. If this is phishing then this is real time phishing. They know how to attack at the exact time when an individual will open the account on a certain device. I received a form of phishing via email, that one was very obvious. Reading the content and checking on the details of the link from which the email came from, I immediately report it the concerned institution. With this one I was tricked perhaps coz of my busy day to day routine in my job.
thanks by the way for the reply. I will study about your suggestion for me to better understand.
best response confirmed by Pau15 (Occasional Contributor)
Solution

@Pau15 

 

I'm not the specialist for hackers. But
Microsoft has send the code via SMS. SMS can be hacked by intersection of the communication, e.g. using "false base station" or Hacking of the ‘Personal Account’ of the subscriber on the site or application of the cellular operator and forwarding all messages to the attacker`s address.
One of this could be happend.
 
If you receive the Microsoft code, the attacker send a second one, asking you to verify your login. I don't know how the hacker then can lead you to a fake site (maybe proxy, what ever?). Then the attacker has your password.
You have used the signin-page of microsoft, and you see, your account is at risk. It looks that Microsoft cloud application security has detected a second login for your account, which looks strange, because it is from another location, or it is from a non registered device.

This shows, we all have to move to passwordless authentication, because it is phishing resistant.

 

Harald

 

@Harald_Wallus  I'm not an expert either about how hackers do things in attacking individual accounts, but I know and understand some stuff and continuously learning about it as far as I can understand and do a lot of research. For sure Local IT Support team knows as to how many log in attempts, web pages opened and so on and so forth. A lot of information that their end user do can be monitored but what they can't as to a certain limitation of controlling a system like this (online/cyber threats occur at any time at any day) These confidential information can be used and sold maliciously. So what can they do about this? just thinking bout it for Im sure they wont just give one account to an individual who is naive or ignorant in using it so to speak.