Scammers have been exploiting a loophole for months, allowing them to send spam emails using an internal Microsoft email address typically reserved for legitimate account alerts.
The method by which these scammers are bypassing the system remains unclear. However, they have successfully created new Microsoft accounts, impersonating new customers, to send emails that appear to originate from the tech giant, potentially deceiving recipients into believing the emails are authentic.
Microsoft has yet to gain control over this issue.
Last week, I received multiple emails with similar structures, featuring subject lines and links to suspicious sites, sent from various Microsoft email accounts. These poorly constructed emails originated from msonlineservicesteam@microsoftonline.com, an email account used by Microsoft for sending critical notifications, such as two-factor authentication codes.
The subject lines of some emails mimicked official communications alerting users to fraudulent transactions, while others claimed there was a private message waiting for the recipient at a specified web address.
In a social media post on Tuesday, The Spamhaus Project, a non-profit dedicated to anti-spam efforts, reported similar abuse of Microsoft’s account notification email address, dating the activity back several months.
“Automated notification systems should not allow this level of customization,” Spamhaus noted. The non-profit further stated it had informed Microsoft about the problem.
Upon contacting Microsoft earlier this week, a spokesperson acknowledged the inquiry from JS but did not provide a comment or indicate if the misuse of its account notification email has been halted.
This incident is part of a broader trend of hackers or scammers exploiting company systems to deceive unsuspecting customers in recent times. Earlier this year, hackers infiltrated a platform used by the fintech company Betterment to dispatch fraudulent notifications, falsely claiming to triple the value of any cryptocurrency sent by users — a well-known scam tactic for stealing cryptocurrency.
In 2023, hackers similarly exploited an email account operated by Namecheap to distribute phishing emails aimed at stealing user credentials.
Comments on social media indicate that other companies’ email addresses are also being used for spam, suggesting the issue extends beyond Microsoft.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
