Scammers have spent months abusing a Microsoft notification system to send spam and fraudulent emails from an internal company address normally used for legitimate account alerts, according to reports from users and anti-spam researchers.
The emails are being sent from Microsoft account address msonlineservicesteam@microsoftonline.com, which the company typically uses for security notifications such as two-factor authentication codes and account-related alerts.
The abuse has raised concerns because messages arriving from a legitimate Microsoft-owned address may appear trustworthy to recipients and could increase the effectiveness of phishing or scam attempts.
According to TechCrunch, the scam emails contained subject lines and links directing users to suspicious websites.
Some emails resembled warnings about fraudulent financial transactions, while others claimed recipients had received private messages accessible through links included in the email body.
Spamhaus Says Abuse Has Continued For Months
The Spamhaus Project, a nonprofit anti-spam organization, said Tuesday that it had also observed abuse involving Microsoft’s notification email infrastructure.
In a social media post, Spamhaus said the activity had been occurring for “several months.”
“Automated notification systems should not allow this level of customization,” Spamhaus wrote.
The organization also said it had notified Microsoft about the issue.
It remains unclear exactly how scammers are exploiting the system.
According to reports, attackers appear able to create new Microsoft accounts in ways that allow them to customize outgoing notifications and distribute spam messages through Microsoft-controlled email infrastructure.
Microsoft acknowledged TechCrunch’s inquiry regarding the issue earlier this week but had not publicly explained the source of the abuse or confirmed whether the company had stopped it.
Incident Follows Other Cases Of Legitimate Systems Being Abused
The Microsoft incident is part of a broader pattern in which attackers misuse legitimate company infrastructure to distribute phishing emails or fraudulent notifications.
Earlier this year, hackers compromised a platform used by fintech company Betterment to send fraudulent cryptocurrency-related notifications promising unrealistic investment returns.
That scam attempted to trick users into transferring cryptocurrency to attacker-controlled accounts.
In 2023, attackers similarly exploited systems at domain registrar Namecheap to send phishing emails designed to steal customer credentials.
According to social media users discussing the Microsoft incident, similar abuse may also be affecting email notification systems operated by other companies, suggesting the issue extends beyond a single provider.
The reports highlight ongoing challenges companies face in securing automated notification systems that are trusted by users and widely used for account verification and security communications.
Featured image credits: SRS Networks
For more stories like it, click the +Follow button at the top of this page to follow us.