Reality check: what actions should be taken if an hack attempt seems to be a false positive
Premise:
Some time ago a friend of mine created a Microsoft based mail account (Live Id/Microsoft Account. He just needed the mail) to use for receiving some messages. The account was created and then left unused for a few days. Later, when accessing the account again about one week later, the system reported that the account was suspended because some suspicious activities were detected. The security page for the account reported an "successful login attempt" from an unrecognized IP about 10 minutes after the account was initially created. The account password was pretty strong and not shared with any other account, the account name was chosen at the time the account was created and couldn't be reasonably know to other people, so the only way some third party could get to know the account credentials in less than 10 minutes from the account creation I could think of was a keylogger or similar spy malware on the machine.
At this point my friend contacted me for help. I immediately searched for traces of an infection or other system-compromise but wasn't able to find any sign of infection on the machine - a IMac/Osx based computer. No visible rogue app, router config seems ok (I had also tried some online tools like F-Secure Router Checker to check if there was any trace of a router-lever dns hijack). I then noticed that the reported "unknown ip" that supposedly accessed the mail was 65.55.52.40 - an IP belonging to Microsoft. Contacting the service support yield no result (no wonder) : some of the employees seemed to hint that the system could indeed sometime cause false positives originating from internal maintenance scripts, but no official documentation was found about the issue.
So, long story short: Microsoft reports that someone used the correct credentials to access the account, the access is dated just <10minutes after the account creation so there is no time to bruteforce the account. Either I assume that there is some sort of spyware on my friend machine and suggest a full wipe OR I tell him that it probably was a false positive (the Microsoft owned ip seems to suggest so) and that he should probably ignore it.
I am now wondering on what the best actions would be in such case.
SIDE NOTE: Technically, an hacker accessing the account could very easily spoof its IP to appear as a Microsoft owned one in order to try to hide its activity. But I wonder if such technique could really work: imho such behavior would be the equivalent to trying to fool a bank into giving you access to someone else account while presenting them a fake ID card with the name of the employee in front of you printed on it.... I would hope that Microsoft would at least be a little suspicious when receiving a request over the internet from a remote PC claiming to be a machine in their own network...
