Anything is possible. The more important question is, how likely is it?
There’s probably a very simple, mundane explanation here: your friend’s account has been hacked. Someone else has access to it.
It’s not that Microsoft’s servers are vulnerable; it’s that your friend’s account was.
And that’s very common.
Become a Patron of Ask Leo! and go ad-free!
Microsoft servers infected?
It’s extremely unlikely that the servers of any major online service would be hacked. Much more likely are the many ways that individual accounts can be compromised or that malware can make it on to individual machines. Most important is that you implement all appropriate security measures for your equipment and online accounts.
Mail programs versus mail servers
First, realize that Outlook.com (Hotmail’s replacement) isn’t running mail software like you and I run.
Outlook.com and other mail services run custom software tuned for being mail servers. They’re designed to collect and deliver mail on behalf of thousands, if not millions, of customers.
The “address book” you see on screen is likely stored on Microsoft servers in a custom and undocumented format1 that would be near impossible to reverse engineer without direct access to the Microsoft data center. To the best of my knowledge, no current malware has a clue how to do that.
I’m sure that Microsoft and Microsoft-related servers are some of the biggest targets for hackers on the planet. You can bet that these are some of the best-secured servers in existence. From industrial-strength firewalls to totally secured and locked-down data centers in undisclosed locations, Microsoft servers are well protected.
Finally, if there were any kind of a security breach or problem on the servers themselves, Microsoft would be all over it as fast as humanly possible. If necessary, it would take the service down to protect its customers.
So, no, I don’t believe Outlook.com or Hotmail itself has been hacked, or that the servers have any kind of malware infection.
Most likely: no malware at all
So where’s the email coming from?
By far the most common cause of the symptoms you describe is an account hack. Someone has somehow determined the sign-in credentials for the email account, signed into Outlook.com, and started sending email to the account contacts.
The only thing required is the ability to sign in to the account. That’s it. No malware involved, and certainly no malware on the Microsoft server itself. Malware may have been involved in determining the sign-in credentials, but that could have been something like a keylogger on your friend’s computer.
Or your friend’s computer may not have been involved at all. If they re-use passwords, then hackers may have gotten around to trying a password discovered elsewhere with this Hotmail account and been successful.
Still possible: malware
If malware is involved, it’s more likely that it captured the sign-in credentials as I described above, allowing the hackers to sign in to the account directly.
It’s not nearly as common as it once was, but malware has also been known to infect email programs on PCs. The malware would take control of Microsoft Office Outlook, Thunderbird, or others and send spam and malware. It’s pretty rare these days, though.
Also possible: it’s not you at all
It’s possible that nothing in your control or your friend’s control is involved at all.
Spammers can fake the “From:” line on the email that they send. It looks like it came from your Hotmail account, but in fact it came from somewhere else entirely. A quick look at the details of the mail header usually confirms this.
I’ve discussed this at length in an earlier article, “Someone’s Sending From My Email Address! How Do I Stop Them?!”
The result is your friends could be getting spam — perhaps carrying malware — that looks like it came from you, but in fact had nothing to do with you whatsoever.
Don’t jump to the conclusion that your service’s servers have been hacked.
Instead, review your own security measures. Protect your machines with good security software, and scan them regularly for malware.
Make certain your online accounts are protected with strong and unique passwords, and consider adding two-factor authentication for an extra level of security.
And of course, subscribe to Confident Computing! My newsletter helps you use technology with less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Very likely in a large database using something like Microsoft SQL Server or similar.