cancel
Showing results for 
Search instead for 
Did you mean: 

Attempted access by Ministry of Defence IPs

decomplexity
Rising Star
Posts: 493
Thanks: 26
Registered: ‎30-07-2007

Attempted access by Ministry of Defence IPs

I have several Microsoft outlook.com accounts used mainly for sharing contacts between PCs and mobile devices.

Yesterday 18th November, I had a series of ‘unusual activity’ alerts from Microsoft referring to some of these accounts. Desktop Outlook was also being blocked from accessing each account – it repeatedly asked for the password. Connecting to the accounts via a browser (and MSFTs additional verification via an SMS code) showed that the ‘unusual activity’ was from a couple of Ministry of Defence 25.xxx.xxx.xxx IP addresses. After changing passwords, and then deleting and re-adding the outlook.com accounts to Outlook, things were back to normal.

But when Outlook was rejecting logins, it was acting as if it were using an MOD client address rather than mine (I have a static IP), and the MSFT account activity log confirmed this.

 

Stranger and stranger.

I checked my (up to date) Netgear router (no – it does not have the default password!) to see if there had been any visible hacking activity to add an addition WAN address. Nope.

I than ran a Kaspersky full (including rootkit) scan to see if anything nasty has been downloaded. Nothing. And I did likewise on my other PCs with the same problem.

 

Since the MOD and I are unconnected and they have no obvious reason to be monitoring me, I am left with two conclusions: either someone using MOD kit is having a go at me for no apparent reason, or some legitimate program (an Outlook add-in?) has decided to use an MOD address.

 

But is what is even odder is if (if…) the originator is at my end (PCs, router,…) why PN’s gateway routers didn’t simply reject packets from IP ranges outside their own.

 

Any ideas or similar occurrences?

Zen from May 17. PN Business account from 2004 - 2017
4 REPLIES
Community Veteran
Posts: 5,228
Thanks: 494
Fixes: 22
Registered: ‎10-06-2010

Re: Attempted access by Ministry of Defence IPs

Are you using any type of VPN software?

The 25.*.*.* range of IP addresses is assigned to the MoD, but apparently it's not reachable from the Internet, so some software uses 25.*.*.* IP addresses in the same way as 192.168.*.* or 10.*.*.* IP addresses are used in LANs.

bluewhale
Rising Star
Posts: 885
Thanks: 15
Registered: ‎30-07-2007

Re: Attempted access by Ministry of Defence IPs

i'm also getting this issue

decomplexity
Rising Star
Posts: 493
Thanks: 26
Registered: ‎30-07-2007

Re: Attempted access by Ministry of Defence IPs

Although MSFT has made no announcement, it appears that there has been an outage of some kind - especially in the UK - on 18th and 19th November, judging by the number of posts on various "it's down" forum sites (e.g. downdetector,com). Further, the outage appears to have impacted access to outlook.com from PC clients such as Outlook as opposed to browser access. This is quite feasible because, if you think about it, the access mechanism and protocols from the two  are entirely different.

My pure guess is that the 25.x.x.x accesses (which trigger a MSFT verification check) were caused by MSFT itself or some other 'supplier' en route (PN?) using this address range internally, and because of whatever happened it wasn't being translated to the correct client IP (vide the typical domestic hub 'NAT gateway' function). A MSFT edge router failure perhaps?

Zen from May 17. PN Business account from 2004 - 2017
matthews
Rising Star
Posts: 141
Thanks: 6
Fixes: 1
Registered: ‎13-08-2014

Re: Attempted access by Ministry of Defence IPs

Not that it should be routable, but the 25.x.x.x range has been commandeered by Hamachi for a while (which I think is the VPN software that @ejs refers to. I can't see how that would get in your Outlook though, because it doesn't support gateways (as far as I'm aware) so only lets you access other 25.x.x.x addresses