For months, scammers have taken advantage of a loophole that allows them to send spam emails from an internal Microsoft email address that is normally used to send alerts from legitimate accounts.
It’s unclear how scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they were new customers and use that access to send emails supposedly from the tech giant itself, which could trick people into thinking these emails may be genuine.
Microsoft still doesn’t seem to have fixed the problem.
Last week, I received several similarly structured emails containing subject lines and web links to fraudulent Microsoft sites in different email accounts. These crudely made The emails were sent from msonlineservicesteam@microsoftonline.coman email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account.
Some of the subject lines of these emails resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address mentioned in the body of the email.
In a social post on tuesdayThe Spamhaus Project, a nonprofit anti-spam organization, said it had also seen the Microsoft account notification email address being abused to send spam, and that the activity dated back “several months.”
“Automated notification systems should not allow this level of customization,” Spamhaus wrote. The nonprofit added that it notified Microsoft about the issue.
When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged our inquiry but has not yet commented or said whether the company has stopped the abuse of its account notification email.
This is the latest in a series of incidents in which hackers or scammers have abused company systems to deceive unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by financial technology company Betterment to send fraudulent notifications which aimed to triple the value of any crypto users send, a widely known scam used to steal people’s cryptocurrencies.
In 2023, hackers access equally abused to an email account managed by Namecheap to send phishing emails intended to steal people’s credentials.
Other users commenting on social media say that other companies’ email addresses are also used to send spam, suggesting that the problem is not limited to Microsoft.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
