For months, scammers have been exploiting a loophole that lets them send spammy emails from an internal Microsoft email address - the very same one Microsoft uses for legitimate account alerts, because apparently no one thought to lock that door.
It remains unclear exactly how the scammers are abusing the system, but they have managed to set up new Microsoft accounts posing as new customers and use that access to send emails that appear to come from the tech giant itself. Because nothing says “trust us” like a fake email from a real company.
Microsoft does not yet appear to have a handle on the situation. Last week, TechCrunch received several similarly structured emails with scammy subject lines and links, all sent from msonlineservicesteam@microsoftonline.com - the same address Microsoft uses for two-factor authentication codes and other critical alerts. Some subject lines mimicked official fraud alerts; others claimed a private message awaited the recipient at a shady link.
On Tuesday, anti-spam non-profit The Spamhaus Project posted that it had spotted this abuse dating back “several months.” “Automated notification systems should not allow this level of customization,” Spamhaus wrote dryly, having notified Microsoft of the issue.
TechCrunch contacted Microsoft earlier this week; a spokesperson acknowledged the inquiry but has not yet commented or confirmed whether the abuse has stopped. This is the latest in a rash of incidents where hackers or scammers have abused company systems to trick customers. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send fraudulent notifications promising to triple crypto users’ funds - a classic scam. And back in 2023, hackers similarly abused an email account run by Namecheap to send phishing emails.
Other users on social media report that other companies’ email addresses are also being used for spam, suggesting Microsoft is not alone in its delightful lack of security.