North East Bytes - a Microsoft technology usergroup in North East England.

Powered by Squarespace


Anatomy of a Scam Email

A little while ago I received warnings on a couple of mailing lists of a new email scam claiming to be from Microsoft. There was some suggestion that this particular scam was well structured and more convincing than most, although everyday experience tells us that phishing emails don't have to be very convincing at all to get passwords (or whatever) out of some computer users.

This is an example of the message that's going round. It links to a MSI file that you should install "in order to keep your computer and data safe" - I've broken up the URL so that nobody clicks on it by accident - it's malware that wasn't detected by all anti-virus packages at the time.

From: Microsoft <>
Subject: Attention: Microsoft Office
To: Recipients <>

Dear Microsoft Office user, through our annonymous statistical
information collection system built into all Microsoft Office
products, we have detected that your system is currently lacking 3
critical Office patches. These patches are for Microsoft Word,
Microsoft PowerPoint and Microsoft Outlook, in order to keep your
computer and data safe we urge you to go to
Microsoft Download Center and download the Microsoft Office Critical Update
Pack available on our website.

You can do this by searching for the patch on our website or
directly at:

http dot slash slash fileserver dot updateservermicrosoft dot net/MS00285913/CriticalUpdates/


Microsoft Office Support
Cardinal Place
80-100 Victoria Street 

Now, there are a bunch of reasons why you are too clever to be caught out by this. You've already seen a bunch of them, haven't you? You wouldn't be foolish enough to fall for this, I know. But let's break it down just for fun anyway...

First up are the email addresses in the header. That's obviously not how you spell Microsoft, and Microsoft haven't run out of addresses, so they wouldn't be using anything else. The trouble here is that this could potentially be much worse. Email is horrendously insecure and it's very simple to send an email that looks like it comes from absolutely any address whatsoever.

Some systems won't relay email from addresses without verifying the sender is who they say they are, and some systems won't accept email pertaining to be from some address if it didn't originate from a server that's designated as part of the DNS domain. Frankly though, there are loads of systems that are wide open, so you can pretty much assume that the address that an email comes from isn't proof that it came from that person/organisation.

The next thing that is often part of a scam email is bad speeling or grammar. This one is better than most, but even if I haven't screwed up the line breaks (which I may have - I didn't receive the message first-hand), this bit is suspect:

Dear Microsoft Office user, through...

You'd expect a line break after the comma there, which may have been in the original message - if this really was from Microsoft it would've been there, and if there was a line break "through" would be capitalised.

The next bit is the one that I would expect more people to miss:

through our annonymous statistical information collection system built into all Microsoft Office products, we have detected that your system...

Now some Microsoft products do optionally collect anonymous user data to feed back into their development cycle, so that's plausible, right?

The key thing here is that word "annonymous" (which is spelt incorrectly, but that's only part of the point). If the data is anonymous, how would they know that it was your system, or know your email address to warn you about it?

They wouldn't. Nobody will ever be able to contact you with a targeted message based on anonymous data. That's just nonsensical.

Other stuff that should ring alarm bells, although there require a bit of background knowledge...

Microsoft delivers critical patches via Windows Update. If they needed you to apply a critical patch, they'd simply direct you to Windows Update, or at the very least a page on

The physical address is Microsoft's London office, so at least the scammer went to the trouble to check that out. However, they didn't bother to find out what Microsoft does there. A quick seach would have uncovered this: "Our London office primarily serves the MSN and Xbox teams, although the ground floor is set up for hot-desking to ensure that any of our employees can work from this office when they are in London." Critically, it doesn't include Microsoft Office Support.

The scammers are getting better, but they need to try much harder if they're going to fool anyone with a decent dose of both scepticism and common sense (unfortunately there are too many people lacking one or both of those).


2013 PowerShell Scripting Games

If you've read very much of my blog, you'll know that I'm a big fan of the annual Scripting Games, where challenges are set for beginners and advanced scripters, to be solved in PowerShell. The reason I like this event so much, apart from enjoying a challenge, is that it's an excellent way to learn, regardless of your level of proficiency.

The great thing about the Scripting Games is that you can have a go at solving each problem and then see an expert solution to compare your efforts with. Even if you're really competing at the advanced level, you're likely to learn something from that, and if you're just a beginner, then there's no better way to learn that to try to solve a problem and being shown by an expert the best way to do it.

The 2013 event kicks off today, and I strongly recommend you take part if you have the time. If you don't have time to do it right now, then there's nothing stopping you having a go after the competition has ended - just make sure that you give the challenges a try before you look at the expert solutions.


More System Center 2012 SP1 on Microsoft Virtual Academy

Earlier this month, I pointed at a couple of courses on Microsoft Virtual Academy - which is a great free resource, if you haven't already found it. I've since found a post on the System Center blog pointing at a whole load more content that you might want to check out:

Configuring and deploying Microsoft's Private Cloud

Introduction to the Microsoft Private Cloud

Introduction to Hyper-V Jump Start (with System Center 2012 SP1)

Microsoft Virtualization for VMware Professionals Jump Start (with System Center 2012 SP1)

Microsoft Solution Accelerators for the Datacenter and Private Cloud

Private Cloud: Computing and Infrastructure Management

Private Cloud: Service Delivery and Automation

Private Cloud: Application Services Management

Private Cloud: Infrastructure Components

System Center 2012 Licensing Overview

System Center 2012 Service Pack 1 Updates

System Center 2012 SP1 Capabilities

System Center 2012: Operations Manager

System Center 2012: Configuration Manager

System Center 2012: Data Protection Manager

System Center 2012: Orchestrator & Service Manager

System Center 2012: Virtual Machine Manager (VMM)

System Center Advisor

What’s New in System Center 2012

That's a whole lot of learning, but that's going to be of limited use to you if you don't then go and kick the tires. To that end you might want to setup a test lab. You can download an evaluation of Windows Server 2012, either as an ISO if you want to pop it on a spare bit of kit, or a ready to use VHD file that you can attach to a VM, or boot from on your desktop. Then you can install an evaluation of System Center 2012 with SP1.

If you like, you can even setup an IaaS pop-up lab on Windows Azure and it doesn't have to cost you a penny:


Hogwarts School of Witchcraft and Wizardry

Last weekend, James and I set out on a mission to build a replica of Hogwarts. We knew it was going to be a big job, so we wasted no time, starting at 08:30, still in pyjamas.

Although we've watched the Harry Potter films a number of times, been to The Wizarding World of Harry Potter and to WB Studio Tour London, we can't actually remember exactly what Hogwarts looks like, so we started with a photo:

Then we decided which elements we wanted to have in our model:

Next step was to lay out our pieces roughly to see whether we had enough raw material to do what we'd planned. Lesley had been collecting cardboard boxes and tubes for a few weeks and it turned out that we had almost exactly the right amount, although we were required to devour a Flake Easter Egg early in order to use its box - sometimes you have to suffer for your art (at least I think that's how it went down - it may be that we were just desperate for a bit of chocolate one evening - you know how it is!).

Having decided that we had plenty boxes, we added more detail...

Once we'd got the boxes and tubes in place, we made some paper cones to top the turrets, added some height to our large Bisto turret, some card prisms to the top of our Bran Flakes towers...

...and a facade on the grrreat big building at the back...

Then it was time to paint.

We had to go out and buy paint, which meant we had to disrupt our flow to get washed and dressed first, then headed to B&Q where they have Dulux testers on a 3 for £1 deal. They didn't have exactly the shades for brick and slate that we were after, so we picked up 6 pots and mixed them together to give a nice red brick and slate roof.

We made sure that we also got plenty paint on socks...

...and hands... 

Then we took our newly painted building bits...

...and re-assembled them into Hogwarts...

This model is only designed to be viewed from the front, so we didn't bother to paint the back. You might notice the large turret (beside the Flake Easter Egg) having a bit of a bashed roof. That was something to do with a water pistol launching off the windowsill right on to the point of that cone. No idea how it happened, but I'm pretty certain it defied the laws of physics.

The next step was to draw on some detail. Some windows, detailing in the brickwork, and some numbers, because why not?? Then we taped the bits together into two easily transportable halves.

The whole point of this was to enter an Easter Egg competition at James' nursery school, so we needed to add our Harry Potter egg (created by Lesley), wearing a black wizard's cloak and riding a broom stick (paintbrush)...

In the end, James didn't win the competition (we probably gave him just a little bit too much help), but we certainly had a lot of fun building Hogwarts! :-)

p.s. If you like this, you might also want to have a look at Alice Finch builds massive LEGO Hogwarts from 400,000 bricks - very cool.


Deleting AD Users with PowerShell - Why is a user not a leaf object?

I've been re-writing some automated processes around user account lifecycle recently, making use of the Active Directory PowerShell module on Windows Server 2012. Most recently this involved removing a large number of expired user accounts. On the first attempt of trying to remove the user objects I was receiving this error for a number of them, seemingly at random:

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

So why would a user object in AD not be a leaf object? It turns out that when a user connects a device to Exchange with EAS, there's an AD object created for that device inside the user object and that is what is stopping the user being a leaf object.

You might search for this and find advice on using Remove-ActiveSyncDevice before you remove the user. The trouble with that is that if you've got multiple versions of Exchange running in your org, then you might find that you can't remove the ActiveSyncDevice for all your users with the same method.

It doesn't matter anyway because the point is that the user isn't a leaf; it's a container that now has child objects, so what do you need to do to delete a container? Simply do a recursive remove. In the case of what I've been doing, this does the job:

$30daysago = (get-date).AddDays(-30)
Get-ADUser -filter {accountexpirationdate -lt $30daysago} | Remove-ADObject -Recursive