Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

Having some very unusual things going on over with our Microsoft Office365 account. 

The beginning - we had a user's OneDrive folder completely disappear. About 8 or 9 folders affected.

We checked the logs and restore logs, which contains detailed information about all user file creation/move/upload/deletion actions. The last action had been in October, which lined up well with the user's description of the problem.

Local (Asian) support was able to find and restore the folders using this tool, but it was confirmed that there was no user action to delete the folders. There was no "delete" action listed at all.

I suggested that they do a deeper inquiry on this to make sure they don't have a hardware failure that isn't protected properly by the first stage of redundancy and as is my habit, I asked to speak with them after they have locked down the original cause of the folder disappearing. 

Many of our users do not have strong reliance on OneDrive, but a handful do and we do have one user who relies on it very heavily and does a lot of traveling. We do maintain a backup of his files externally, but he's notoriously disorganized and often does things which damage that, so we are somewhat dependent on OneDrive actually working as expected. I don't really like the idea that an entire user's OneDrive folder was totally wiped without any record.

I got a call back from a Nigerian person, which I found odd, given that I usually speak with someone in the Malaysian, Singapore, Philippine or Hong Kong office, where the support team is on a similar time zone. 

Oddly, he was asking me for information about the case which was already clearly included in the case history and asking me to go through the audit logs. I had already gone through this twice with phone support and one type of log was not set to be retained, while the other type of logs showed clearly that the files were *never deleted by a user*. Still, he kept asking me for these logs. Audit logs are not turned on by default and are not turned on for our account. Further, they will only track user actions, which are also tracked by the restore logs, so there is no new information to be revealed from the audit logs.

I told him that the information about the logs should already be included in the case history, so if he was unclear about that, as a Microsoft Support Technician, he would have access to that. My red warning lights were already flashing in my head. Especially when he told me that he didn't have access to all of the logs...

I told him that I would be happy to speak with a technician who had access to Microsoft logs, but if he did not have access to those logs, then I could not confirm that he was an actual Microsoft support technician, so I would not disclose any further information to him.

He followed up with an email, which was *VERY* suspicious.

For starters, he was asking me for things like "the OneDrive URL" , " the affected document library url where the doc got missing", "How many folders and files are in the missing and restored folder", "the affected User(s)’ UPN(s)" ... All of which is already in the case history logs (confirmed while on the phone).

But more oddly, he also wanted "Screenshots of affected User(s)’ Permissions Page" and "the Screenshot of assigned Licenses page", which is unusual information to be asking for at this late stage.

Ordinarily, I'd probably go ahead with that. However, I noticed that in the "To:" field of the email, he's also included "borenke@xxentra-tech.com". 

I assumed this was probably his supervisor or similar and I'm aware that MS uses 3rd party companies for their support for things like this, so I didn't think anything of it... until the response comes back from that address as undeliverable.

So I tested it and it's genuinely an undeliverable address, but I realized that if this is a legitimate CC for a monitor, this is NOT what that would look like. I know this because our company also has some special monitor rules for certain employees and *nobody* can see that part of how we operate. Additionally, that monitor's email address is within our organization's domain name, so even if someone were to find out, it's obviously not anything strange for a manager to be supervising.

But I also realized that the "Microsoft employee" who contacted me would also be aware that this was an undeliverable address. 

It is difficult for me to rationalize how they could be adding an address to the "To:" field without realizing that it was undeliverable.

Very suspicious.

I ended up speaking with another individual from this same company as I was *emphatically insistent* that I have no interest in disclosing any further information to this "Microsoft employee" who seemed to want a lot of information from me about our licensing details to be sent to this unusual broken address (also interesting that "borenke" is an anagram of "broken" with an extra 'e').

The email from this other individual oddly had some Comic Sans font in the footer, but more notably, had this at the bottom: " To have consistent support experience, we recommend that you REPLY ALL when responding to this email message."

So this person is specifically requesting to Reply All, so any information being sent to him would definitely be going to this "borenke" address. 

Oddly, xxentra-tech.com and xentra-tech.com both do not show up as valid domains.

So I'm starting to think that not only is this super suspicious, that this is starting to feel like someone has written some kind of script that is grabbing these emails to "borenke@xxentra-tech.com" and sending them off to some other address, out of view of Microsoft's monitoring.
It *is* possible to set a forwarder for a non-existent email address in certain circumstances. 

So now, the question is... where is this email going?

Or a better question is... what the actual heck is going on at Microsoft Support?

I have confirmed that these people do in fact work in Microsoft Support. Their names are all over the place with our support request when I call locally by phone. And I have specifically requested to speak to another team on 4 occasions now.

So on Saturday evening, at 11pm, I get a phone call from some guy in Nigeria telling me he's working with Microsoft. I don't recognize the voice and he's not either of the first two people I spoke with, but I asked him where he thinks I am located. He tells me "China". 

Nope, not China, but if you think I'm China, what time do you think it is here? It would be around 1am. And you're calling my cell phone number at what you think is 1am... for service call??? And you're asking me the same questions that you need more information from me about my account? 3 previous calls from this company had been during normal working hours. They know what time zone I'm in.

I was very tired since I was dealing with some mild side effects from my BNT vax and I explained to him in *NO* uncertain terms was he going to get information from me about my account with Microsoft, which he should already have access to if he's working with Microsoft Support.

I called Microsoft today and they told me that they would ask tech support to call me back... the name of the tech support listed? The first guy from Nigeria.

I have no idea how to escalate this with Microsoft. This is highly suspicious behavior and it just keeps going around in circles. Microsoft keeps sending me back to the Nigerian tech team for no reason I can figure out. They are literally on the other side of the planet, so calling me during working hours here means they are graveyard shift there. 

I can't say for 100% sure that this shows dirty shenanigans and tech support staff handing off sensitive information to their buddies for some social engineering scams, but this is exactly what it would look like if it were. I have no pathway to getting any reasonable answers to this.

Any thoughts?

Edited Nov 30, 2021 at 08:50 UTC

6 Replies

· · ·
Suzanne (Spiceworks)
OP
Suzanne (Spiceworks) This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

There are giant tech-support scams for most of the big companies.  I guess my first question is, are you sure that the number that you called in the first place is legitimate?  False numbers are all over the internet and it is difficult to actually find a legitimate phone number for a company like that.  They don't normally publish them.

If you are certain, then I don't know... it could be that they have few options in that area to outsource to, and are trusting shady people.

1
· · ·
eschelar
Poblano
OP
eschelar

This communication comes directly through their support panel. These are legitimate representatives of Microsoft, behaving in a way that would strongly suggest they are scammers or involved in some kind of nefarious behavior.

When it becomes impossible to tell real support from the scammers, there is a serious problem.

I confirmed in multiple ways that the Nigerian team is a genuine Microsoft team. But their behavior is anything but legitimate.

I have still not been able to get a reasonable response from anyone in Microsoft and this is now the 9th time I have had to go over the details of this case with Microsoft support. I am now in contact with the Portugal team, but they are telling me that all of the relevant details of the case are not showing up in the case history notes. 

The Portugal team rep told me straight up that he did not know the actual problem that was the subject of the case. He was under the impression that it was files that were lost, but in reality, that problem was fixed and I was simply asking to see if they could do a deeper search because it looks like either a redundancy error, a hardware fault or a hack (extremely unlikely at the user level, but this would be a hack at the server level). I do not believe that a hack is a likely possibility, with a hardware error (probably undetected) or a redundancy policy error being the more likely culprits. I am a server administrator here at the company I work for and if an entire high level folder suddenly disappeared with all the folders it contained and there was no explanation for it, I would consider that something that was worth taking a pretty serious look at. Not only that, but the issue with the xxentra-tech.com is something that would reasonably be considered a major security violation in pretty much any other setting. It does not appear to be looked at seriously though. I don't know why.

The only reason MS had moved us over to using the Nigerian team was that, the case got transferred from the Asian team to the EMEA team. Likely due to my request to use English. This is bizarre to me since they do not offer 24 hour support in each time zone, so they are telling me that they only have staff during normal office hours in their local time zones. Which doesn't explain to me why I had 3 phone calls from Nigeria, during our normal office hours (well outside of theirs).

Additionally, there are multiple teams in the Asian group that have English service. I have spoken in the past with Malaysia, Singapore, Philippines and even English support in China and Taiwan. It makes no sense to me that we were dumped over to Nigeria. It makes no sense to me that I specifically and directly requested for our case to be transferred away from the Nigerian team three times, all of which was ignored until this last incident where I was called at 11pm Saturday night.

The Portugal rep made excuses for the "borenke@xentra-tech.com" oddity. He says it was probably a typo. I do not understand how it is a typo that every single person in the office makes on every single email, while at the same time, receiving an "undeliverable" bounceback every single time they send an email out for that supposed "typo".

None of this makes much sense to me. It feels like Microsoft has somehow downsized their oversight team and now multiple teams are running rampant with no real oversight.

I would consider that a pretty big red warning light of catastrophic failure imminent...

Edited Dec 1, 2021 at 03:12 UTC
0
· · ·
eschelar
Poblano
OP
eschelar

Final update (?)

I have finally been put into contact with the Malaysian team and he sounds almost as frustrated as me.

The window of time to look into the folder issue is past and by the sounds of it, he has zero tools for handling the bizarre behavior of the Nigerian team, so the only option he has left is to *ignore it and sweep it under the rug*.

This feels a lot like looking around at a nuclear reactor, noticing a little red warning light covered up by a piece of black gaffer's tape. 

Nobody seems to care that there's an obvious anomaly going on with the Nigerian team. 

There were several other bizarre things going on as well, but I don't think they are connected. Stuff like the Asian call center having nobody at all working in tech support, so all the calls are fielded by girls in the billing department, who mostly have zero technical skills and don't understand what you're talking about when you say "I've got some odd behavior here with many multiple re-downloads of a specific email using POP3" or whatever the case may be. Basic tech stuff... 

Heck, the last few times I've spoken to those girls, they have answered the phone with "uhhh, hi" or "who's this?" or simply just answering and not saying anything at all.

Very disappointed that Microsoft support seems to be collapsing on itself. It's really odd and a bit tragic.

0
· · ·
greggmh123
Datil
OP
greggmh123 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

eschelar wrote:

Final update (?)

I have finally been put into contact with the Malaysian team and he sounds almost as frustrated as me.

The window of time to look into the folder issue is past and by the sounds of it, he has zero tools for handling the bizarre behavior of the Nigerian team, so the only option he has left is to *ignore it and sweep it under the rug*.

This feels a lot like looking around at a nuclear reactor, noticing a little red warning light covered up by a piece of black gaffer's tape. 

Nobody seems to care that there's an obvious anomaly going on with the Nigerian team. 

There were several other bizarre things going on as well, but I don't think they are connected. Stuff like the Asian call center having nobody at all working in tech support, so all the calls are fielded by girls in the billing department, who mostly have zero technical skills and don't understand what you're talking about when you say "I've got some odd behavior here with many multiple re-downloads of a specific email using POP3" or whatever the case may be. Basic tech stuff... 

Heck, the last few times I've spoken to those girls, they have answered the phone with "uhhh, hi" or "who's this?" or simply just answering and not saying anything at all.

Very disappointed that Microsoft support seems to be collapsing on itself. It's really odd and a bit tragic.

Dang! It sounds like you reached the cleaning crew and not tech support or sales!

Can you spell CHERNOBYL?

I do not envy you.

Gregg

1
· · ·
eschelar
Poblano
OP
eschelar

That is exactly what it feels like. Except the Nigerian team. That felt like some Jim Browning stuff. I've never seen a dummy forwarder from any other communication from MS and it's bizarre that nobody else I spoke to in MS seemed to think it was out of place or odd at all.

It's like they are not actual computer people...

Kinda worries me that MS has tech support that aren't really computer people....

0
· · ·
eschelar
Poblano
OP
eschelar

Just as a follow up here.

We did have another two instances of OneDrive being wiped out. 

I do not believe that this was a hard drive wipe. I believe now that this was an access issue. 

I was able to do some deep troubleshooting when we had the 3rd instance of this bug and I noticed that the OneDrive system itself was inaccessible (including settings, menu options, etc), not only the files. This condition appears to last a few hours, then self-rectifies. 

It is entirely possible that they were taking certain portions of their network offline for servicing or updating. Personally, I find this somewhat questionable since we don't know the behavior for folders created during this time and if they have the potential to over-write the folders as they come back online.

The folders and files do come back online before the system comes back online as well. 

Therefore, it is most likely that the original tech in the Asian team did not actually restore anything, which would explain some of the early confusion as to why there were no notes on the case... the tech support didn't actually do anything, so no notes were made. 

Speaking with the Malaysian support tech, he considered the behavior of the Nigerian team also to be extremely unusual, although he admitted that he is not familiar with black hat behaviors, so is not aware of the potential of an empty forward for illicit behavior, but he did agree that there could indeed be a possibility of this and that there was no other explanation as to why they would be asking for a Reply All to a message with a borked email address, *and* were requesting information about billing and licensing information when simply accessing the account would show that our account status is valid and does not need further validation. I explained to him that if someone called up and had all the information from a snapshot of our licensing information, they could easily use social engineering to gain full access to our back end and account, most likely snooping around for sensitive files via an administrator account. This is specifically information that was requested from the Nigerian team to be sent to their suspicious 3rd party email address.

Given that I had spoken to three different individuals within the Nigerian team, he was also surprised to see no notes from them either.

Here's hoping that something is actually done to look into that team.

The Portuguese team did indicate that the Nigerian team was interchangeable with any other team within the EMEA, so you folks in the EU region need to watch out for suspicious behavior.

0
Oops, something's wrong below.