For several months, scammers have been exploiting a loophole that allows them to send spam emails from internal Microsoft email addresses typically used to send alerts for legitimate accounts.
It’s not clear how scammers are abusing the system, but they can set up new Microsoft accounts as if they were new customers and use that access to send emails from the tech giant itself, potentially fooling people into thinking those emails are real.
Microsoft doesn’t seem to be aware of this issue yet.
Last week, I received a similarly structured email from Microsoft in multiple email accounts with a subject line and a web link to a fraudulent site. These crudely crafted emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other important warnings about their online accounts.
Some of the subject lines of these emails resembled official emails warning users of fraudulent transactions, while others claimed to contain private messages awaiting recipients at the web address provided in the email body.
Anti-spam nonprofit The Spamhaus Project also said in a social post Tuesday that it has seen Microsoft account notification email addresses being misused to send spam, and that the activity dates back “several months.”
“Automatic notification systems should not allow this level of customization,” Spamhaus wrote. The nonprofit added that it has notified Microsoft about the issue.
When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged our investigation, but would not yet comment on whether the company had stopped the abuse of account notification emails.
This is the latest incident in recent months in which hackers and fraudsters have exploited company systems to defraud unsuspecting customers. Earlier this year, hackers infiltrated a platform used by fintech company Betterment and sent out fraudulent notifications offering to triple the value of cryptocurrencies users submitted. This is a widely known scam used to steal people’s cryptocurrencies.
Back in 2023, hackers similarly exploited access to email accounts run by Namecheap to send phishing emails aimed at stealing people’s credentials.
Other users have commented on social media that other companies’ email addresses are also being used to send spam, suggesting the problem is not limited to Microsoft.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
