Scammers are abusing an official Microsoft email address to send spam
Source: TechCrunch
Overview
For months, scammers have been exploiting a loophole that lets them send spammy emails from an internal Microsoft email address typically used for legitimate account alerts. The abuse allows them to set up new Microsoft accounts as if they were new customers and use that access to send emails that appear to come from the tech giant, potentially tricking recipients into believing the messages are genuine. Microsoft has not yet indicated that it has resolved the issue.
Examples of Spam Emails
Last week, several similarly structured emails were received across different accounts. The messages featured subject lines and links to scam sites and were sent from msonlineservicesteam@microsoftonline.com, an address Microsoft uses for important notifications such as two‑factor authentication codes and critical account alerts.
Some subject lines mimicked official alerts about fraudulent transactions, while others claimed a private message was waiting at a web address mentioned in the email body.
Image credit: TechCrunch (screenshot)
Spamhaus Observation
In a social post on Tuesday, anti‑spam non‑profit The Spamhaus Project reported seeing Microsoft’s account‑notification email address abused to send spam, noting that the activity dated back “several months.”
“Automated notification systems should not allow this level of customization,” wrote Spamhaus, adding that it has notified Microsoft of the issue.
Source
Microsoft Response
When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged the inquiry but has not yet commented on whether the abuse has been stopped.
Related Incidents
This abuse follows a series of incidents where hackers or scammers have leveraged company systems to deceive customers:
-
Betterment – Earlier this year, hackers breached a platform used by the fintech firm to send fraudulent notifications claiming users could triple the value of any crypto they sent, a known cryptocurrency‑stealing scam.
Read more -
Namecheap – In 2023, attackers accessed an email account run by the company to send phishing emails targeting MetaMask and DHL credentials.
Read more
Other users on social media have reported that additional companies’ email addresses are also being used to distribute spam, suggesting the problem is not limited to Microsoft.