Scammers have used an internal Microsoft notification address to send spam and phishing emails. This is worrying because the messages look like real account alerts from Microsoft.
Scammers have been abusing a loophole for months, letting them send spam from an internal Microsoft email address usually used for “legitimate account alerts.” This official address is sending “convincing phishing emails,” and users have seen several suspicious messages recently.
Microsoft address used in suspicious emails
This issue is important because the emails do not come from a random or suspicious address.
TechCrunch reported that the suspicious messages came from msonlineservicesteam@microsoftonline.com, which Microsoft uses for important notifications like two-factor authentication codes and critical account alerts.
Mezha also said this address is used for important notifications to users, including two-factor authentication codes and critical online account messages.
Since the sender looks like Microsoft, people might believe the messages are real. Scammers could set up new Microsoft accounts as if they were new customers and use them to send emails that seemed to come from Microsoft. Attackers were creating new Microsoft accounts and sending messages as if they were from the company, which could mislead users.
Emails looked like alerts or private messages
The emails followed similar patterns, with subject lines and links to scam websites. Some subject lines looked like official warnings about fake transactions, while others said the recipient had a private message waiting at a link in the email.
Some messages looked like official notices about suspicious transactions, while others told people to check a private message using a link in the email.
This design makes the scam more dangerous than regular spam. Instead of just using fake branding, the messages seem to come from a real Microsoft notification channel, so users are more likely to click links or trust what they see.
Spamhaus warned Microsoft about the abuse
The Spamhaus Project, an anti-spam nonprofit, also noticed this activity.
Spamhaus said in a social post that Microsoft’s account notification email address was being abused to send spam, and this had been happening for “several months.” The address was used to send spam over a period of months.
Spamhaus criticized how much customization the system allows, saying automated notification systems should not let users personalize messages that much. The nonprofit also said it had notified Microsoft about the problem.
Microsoft has not yet explained the fix
Microsoft has not yet explained publicly how the abuse happened or if the problem is fully fixed.
A Microsoft spokesperson acknowledged their inquiry earlier this week but has not commented or confirmed if the company has stopped the abuse of the notification email account. Microsoft confirmed the inquiry but has not commented or said if the abuse has stopped.
Without an explanation, important questions remain. It is still unclear how scammers were able to send messages through the notification system, how many users were affected, or if Microsoft has changed its controls for account notification emails.
Company systems are becoming a scam target
This incident fits a broader pattern where attackers abuse trusted company systems instead of only sending fake emails from outside domains.
A recent case with fintech firm Betterment, where hackers used the platform to send fake notifications linked to a crypto scam. It also noted a 2023 incident with Namecheap, where attackers used an email account to send phishing messages to steal credentials.
The Betterment and Namecheap cases and said that users on social networks have reported other companies’ email addresses being used to send spam. This suggests the problem is not limited to Microsoft.
For users, the safest approach is to avoid clicking links in unexpected account alerts, even if the sender looks familiar. For companies, this incident shows the need for stricter controls, better monitoring, and limits on how much new accounts can customize messages in internal notification systems.
