Cybercriminals have reportedly found a way to misuse an internal Microsoft email account to send scam-filled messages that appear legitimate.
The issue, which has allegedly continued for months, is sparking concerns about how easily trusted systems can be manipulated to deceive users.
According to reports, the emails were sent from a Microsoft-owned address commonly used for important account alerts and security notifications.
The suspicious emails were reportedly sent from msonlineservicesteam@microsoftonline.com, an address Microsoft uses for legitimate account-related communications such as two-factor authentication codes and security alerts.
Recipients said the emails included misleading subject lines and links directing users to suspicious websites. Some messages appeared to warn users about fraudulent account activity, while others claimed the recipient had a private message waiting online.
The formatting of the emails closely resembled official Microsoft notifications, potentially making it difficult for some users to identify the messages as scams.
The issue was also highlighted by The Spamhaus Project, which said in a social media post that Microsoft’s notification system had been abused for “several months.”
Spamhaus criticized the apparent loophole, saying automated notification systems should not allow such customization. The organization also confirmed it had informed Microsoft about the matter.
Microsoft yet to address problem publicly
A spokesperson for Microsoft acknowledged media inquiries regarding the abuse earlier this week but had not publicly commented on whether the company has managed to stop the activity.
It remains unclear exactly how scammers are exploiting the system. Reports suggest attackers may be creating new Microsoft accounts as if they were legitimate customers and then using that access to generate deceptive emails.
The Microsoft-related abuse is the latest in a growing trend of scammers exploiting trusted company systems to target users.
Earlier this year, hackers reportedly breached a platform used by Betterment to send fake cryptocurrency-related notifications designed to steal users’ digital assets.
In 2023, attackers also reportedly abused an email account associated with Namecheap to distribute phishing emails aimed at stealing login credentials.
Users on social media have also claimed that similar spam campaigns are affecting other companies, suggesting the issue may not be limited to Microsoft alone.
The incident highlights the increasing risks associated with trusted email infrastructure being exploited for phishing and spam campaigns. Since users often rely on familiar company email addresses to determine authenticity, such attacks may become harder to detect.
Security experts continue to warn users to avoid clicking suspicious links, even when emails appear to come from legitimate sources.
.jpg)
