Scammers are abusing an internal Microsoft account to send spam links
Source: TechCrunch
Overview
For months, scammers have been taking advantage of a loophole that lets them send spammy emails from an internal Microsoft address typically used for legitimate account alerts. The attackers can set up new Microsoft accounts as if they were new customers and use that access to send emails that appear to come from the tech giant, potentially tricking recipients into believing the messages are genuine. Microsoft has not yet indicated that it has fully addressed the issue.
Abuse of Microsoft’s internal notification address
Last week, several similarly structured emails were received across different accounts. The messages, which contained subject lines and links to scam sites, were sent from msonlineservicesteam@microsoftonline.com—the address Microsoft uses for important notifications such as two‑factor authentication codes and other critical alerts.
The emails mimicked official communications, with some subject lines resembling alerts about fraudulent transactions and others claiming a private message awaited the recipient at a web address included in the email body.
Image credit: TechCrunch (screenshot)
Evidence and reports
- A Mastodon post showed the crude emails sent from the Microsoft address.
- In a social post on Tuesday, anti‑spam nonprofit The Spamhaus Project confirmed seeing the same Microsoft notification address abused to send spam, noting that the activity dates back “several months.”
“Automated notification systems should not allow this level of customization,” wrote Spamhaus, adding that it has notified Microsoft of the issue.
When contacted by TechCrunch, a Microsoft spokesperson acknowledged the inquiry but has not yet commented on whether the abuse has been stopped.
Related incidents
-
Earlier this year, hackers compromised a platform used by fintech firm Betterment to send fraudulent notifications that claimed users could triple the value of any crypto they sent, a well‑known scam used to steal cryptocurrency.
Read more -
In 2023, attackers abused access to an email account run by Namecheap to send phishing emails aimed at stealing credentials.
Read more
Other users on social media have reported that similar abuse of corporate email addresses is occurring at multiple companies, suggesting the problem is not limited to Microsoft.