For months, fraudsters have been exploiting a loophole that allows them to send spam emails from an internal Microsoft email address commonly used to send legitimate account notifications.
It’s unclear how the fraudsters are abusing the system, but they were able to create new Microsoft accounts as if they were new customers and use that access to send emails purporting to be from the tech giant, potentially tricking people into thinking those emails are genuine.
Microsoft doesn’t seem to have addressed the issue yet.
Last week, I received several, similarly structured emails containing subject lines and web links to fraudulent sites from Microsoft on different email accounts. These coarsely chopped Emails were sent from msonlineservicesteam@microsoftonline.coman email account that Microsoft uses to send users important notifications, such as two-factor authentication codes and other critical notifications about their online account.
Some of the subject lines of these emails looked like official emails warning users of fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address listed in the body of the email.
In social post on Tuesdayanti-spam non-profit The Spamhaus Project said it had also seen the abuse of the Microsoft account notification email address to send spam, and that the activity dates back “several months”.
“Automated notification systems should not allow this level of customization,” Spamhaus wrote. The nonprofit added that it has informed Microsoft about the issue.
When contacted by TechCrunch earlier this week, a Microsoft representative acknowledged our question, but has yet to comment or say whether the company has stopped the abuse of its account notification email.
This is the latest in a series of incidents in which hackers or fraudsters have abused the company’s systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech company Betterment to send fraudulent alerts that purported to triple the value of any crypto users send — a well-known scam used to steal people’s cryptocurrencies.
Back to 2023, hacker similar abuse of access to an email account managed by Namecheap to send phishing emails aimed at stealing people’s credentials.
Other users commenting on social media say that email addresses from other companies are also being used to send spam, suggesting the issue is not limited to Microsoft.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
