Forgot your password?
Close
typodupeerror
Microsoft

Scammers Are Abusing an Internal Microsoft Account to Send Spam Links (techcrunch.com) 14

Posted by EditorDavid from the scammy-spam dept.
"For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts," TechCrunch reports: [The scammers] have been able to set up new Microsoft accounts as if they are new customers and use that access to send out emails purportedly from the tech giant, potentially tricking people into thinking these emails are genuine...

Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account. Some of these emails' subject lines resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address mentioned in the email body.

In a social post on Tuesday, anti-spam nonprofit The Spamhaus Project said it had also seen Microsoft's account notification email address being abused to send spam and that the activity dated back "several months."
A PR representative told TechCrunch that Microsoft was "actively investigating" and "taking action against these phishing reports to help keep customers protected," with measures that include "removing accounts that violate our Terms of Use" and "further strengthening our detection and blocking mechanisms."

TechCrunch suggests the issue may not be limited to Microsoft. "Other users commenting on social media say that other companies' email addresses are also being used to send out spam."

Scammers Are Abusing an Internal Microsoft Account to Send Spam Links More | Reply

Scammers Are Abusing an Internal Microsoft Account to Send Spam Links

Comments Filter:
  • Spoofing a from address was (is?) a trick scammers used for a long time? Given TC has the knowledge to identify that, it will be interetsing to see what happened that allowed this.

    • An otherwise very technical friend called me recently to tell me someone was using my name in emails sent to him. I explained that I'm on a list, that we're ALL on a list. And someone is possibly phishing him directly.

      • Yea, I have gotten a few of the "I lost my wallet/phone/etc. can you send me xx cash via WU ..." email spoofing scams, but they seemed to have died out. Now they spoofing seems to be emails sent from me to me; I guess they hope it makes it past my spam filter. I'd block my email address in the filter, but I do legitimately use it for bcc emails where the entire list is bcc'd to avoid "Reply All" messages.

        • One of our grad students got burned by this - fake emails purportedly coming from his faculty advisor.

          I don't get how people fall for it, though... in this case, the faux professor told the student first to go buy a few hundred dollars in gift cards, then to send him the gift card numbers and the confirmation codes (the ones you have to scratch off to access). I mean, why would you think your professor would ask you to do these things?

        • Yea, I have gotten a few of the "I lost my wallet/phone/etc. can you send me xx cash via WU ..." email spoofing scams

          I have had two variations of this over the years, in both cases the legitimate senders had lost control of their email addresses after falling for phishing attacks. With their address books Online, what could go wrong? Anyway, what happened there was not what I understand as spoofing.

    • Re: (Score:3)

      by Zocalo ( 252965 )
      It was (and still is), but this is the problem that SPF was designed to solve (as opposed to being the FUSSP some made it out to be). If you have a critical domain that you use for sensitive stuff, like "microsoftonline.com", or any bank's domain, etc, then you need to be very specific on your SPF record's contents and make sure it has an "-all" in there to force a reject for failures, rather than the looser "~all" or (heaven forbid) "+all" which is really only intended for testing. Spammers know this, an

    • Nothing is being spoofed.

      Typically, the spammers find a support ticket submission page, or a bug tracker or some other quasi-public system. Then they open a ticket or report a bug using YOUR email address and a name like "YOURNAME, we are going to charge your credit card $587.16 for Norton Antivirus if you don't call XXX or email YYY in the next 24 hours"

      YOU then get an email from the ticketing system or bug tracker or whatever it is. This email contains the spammer's message, plus whatever is in the stoc

  • Taking action against phishing reports (Score:3)

    by ffkom ( 3519199 ) on Sunday May 24, 2026 @12:04PM (#66158454)

    Microsoft was "actively investigating" and "taking action against these phishing reports

    Microslop taking action against phishing reports, rather than closing security holes, is exactly what I would have expected of them. And I would not be surprised if the scamming originates from inside Microslop.

    • Re:Taking action against phishing reports (Score:4, Informative)

      by Zocalo ( 252965 ) on Sunday May 24, 2026 @12:59PM (#66158518) Homepage
      See my post above for a bit more detail, but this looks like it could be an SPF include failure. They have included "_spf-ssg-a.microsoft.com" in the SPF, which in turn includes "spf.protection.outlook.com". AFAIK, that's basically the Outlook.com webmail service, so quite possibly at least some, and possibly any, users of that service could impersonate "microsoftonline.com" and get an SPF pass.

      If so then yeah, that's *totally* the kind of lack of attention to detail you tend to expect from Microsoft.

      • So basically this is just admin laziness, as in they don't want to manage a separate DKIM / SPF setup for their customers versus their actual employees?

        Someone in the Mastodon thread linked from TFS was claiming that Google and Apple basically doing that - which is mind-blowingly stupid, if true. I'm actually a bit skeptical (but feeling too lazy ATM to dig into it right now).

  • This is one of the major problems with DKIM et.al. (Score:5, Informative)

    by Arrogant-Bastard ( 141720 ) on Sunday May 24, 2026 @12:47PM (#66158502)
    For those who don't deal with email infrastructure: there are several technologies (DKIM, SPF, etc.) that have been deployed in attempts to stop email forgery. Each works slightly differently, but the overall concept is that a receiving email server can check that a sending email server is authorized to send messages from the message sender's domain (e.g., "this message presented by mail3.example.net claims to be from joe@example.com; is mail3.example.net allowed to originate email from example.com?") and that messages are cryptographically signed by the sending domain's email server(s). I'm oversimplifying a lot but that's the general idea.

    Worth noting is that tells you nothing about the message, i.e., it's of no value in figuring out if the message is spam or ham. That's because spammers can set up all of this too, and most of them have. It's of no help with the big email providers either: the two biggest sources of spam observed here are Gmail and Outlook, and of course all of those messages pass every one of these checks.

    Which brings me to this problem. And that is: if someone gains control of an email account (or an email server) then they can send whatever they want from it until someone notices and shuts it down. And all of those messages will pass all of these checks -- which means that they're highly likely to be accepted by recipient email servers and highly likely to be read by the addressees. And then it gets worse: some of those addressees are using email clients that check message validity and signal it to the user with a green checkmark or the word "verified" or something like that. So even if the message content seems a little sketchy, that might well be enough to convince the person reading it that is IS legitimate...and then bad things happen.

    We've spent decades trying to train users to be suspicious of anything that doesn't look right -- with mixed results, of course. But the combination of these technologies and email user interfaces that use them is undoing that training. Users are being conditioned to believe what their email client tells them to believe, and this is going to have dire consequences.

    • We've spent decades trying to train users to be suspicious of anything that doesn't look right -- with mixed results, of course. But the combination of these technologies and email user interfaces that use them is undoing that training. Users are being conditioned to believe what their email client tells them to believe, and this is going to have dire consequences.

      If "we" are doing the latter, than "we" are being stupid. We need to keep training our users to be skeptical - they should always first ask "does this pass the smell test?" because no technology is perfect.

  • The tip off! (Score:4, Funny)

    by oldgraybeard ( 2939809 ) on Sunday May 24, 2026 @01:21PM (#66158542)
    I'm from Microsoft and I'm here to help!

  • I can't be the only one that just laughs when they read stuff like this. If there was any doubt left in your mind that you should switch from Windows to Linux or Apple, just take the dive. You can always run whatever version of Windows in a VM just fine.

    If this is how Microsoft conducts its business, do you really want them in charge of your computer?

Slashdot Top Deals

I'm all for computer dating, but I wouldn't want one to marry my sister.

Close