Scam alert: An official Microsoft email is being used for phishing links

Source: Mashable Tech

How scammers are abusing the address

Scammers have weaponized the official Microsoft email to send fraudulent messages. By injecting their own content into the legitimate notification flow, they bypass many spam and phishing filters. The emails look like typical Microsoft communications—using the familiar template and branding—but the subject lines often mention Bitcoin, third‑party services, or include phone numbers and website links that are not associated with Microsoft.

What the attack looks

1. Create a disposable Microsoft 365 tenant.
2. Modify the Tenant Branding configuration (Microsoft Entra ID) to change the “Name” field to a fraudulent financial‑alert message.
3. Trigger a verification‑code email to the target by adding the target’s address to the attacker’s Microsoft account.
4. Microsoft sends the email from its trusted [email protected] address, inserting the attacker‑provided “Name” into the subject line.

Because the email originates from a trusted Microsoft domain and contains no malicious links or attachments, it can easily slip past security measures.

Reports on the abuse

• TechCrunch reported that Microsoft has not yet issued a statement about the issue.

• A January report from Abnormal detailed the abuse of Microsoft’s notification system:

  “The attack begins with the bad actor spinning up a disposable Microsoft 365 tenant… The core exploit lies in the Tenant Branding configuration within Microsoft Entra ID.”

  (Source: Abnormal blog post)

What users should do

• Verify the content of any email that appears to come from Microsoft, even if the sender address is correct.
• Do not click on phone numbers, links, or download attachments unless you are certain the email is legitimate.
• Report suspicious messages to your organization’s security team or directly to Microsoft’s phishing report portal.

Staying vigilant and scrutinizing emails—especially those that request financial information or direct you to unfamiliar sites—remains the best defense against this type of phishing attack.