Scammers Abuse Microsoft's Internal Email System to Send Phishing Spam
A significant security loophole at Microsoft has allowed scammers to send phishing emails from one of the company's own internal notification addresses for months. The abuse targets [email protected]—the same address Microsoft uses to send critical alerts including two-factor authentication codes and account security notifications. Anti-spam organization The Spamhaus Project confirmed it had observed the abuse dating back several months and had notified Microsoft. The scammers appear to be creating new Microsoft accounts to exploit the notification system, sending emails with subject lines mimicking fraud alerts and private message notifications that link to scam websites. Microsoft acknowledged the issue in a statement saying it is 'actively investigating and taking action against these phishing reports,' including strengthening detection and blocking mechanisms and removing violating accounts. This incident follows a pattern of similar abuses at other companies, including a hack at fintech firm Betterment earlier this year and the 2023 Namecheap email breach.
When the very email address used for security notifications becomes a vector for attacks, it erodes trust in the entire notification system. Organizations relying on Microsoft's email infrastructure for critical alerts should verify through secondary channels.
How are scammers sending emails from Microsoft's own address?
They appear to be creating new Microsoft accounts as if they are new customers, then exploiting the account notification system to send emails that appear to come from Microsoft's legitimate notification address.