Scammers are misusing an internal Microsoft account to send spam links

For months, hackers have been using a technique that allows them to send spammy emails from an internal Microsoft email address used to send valid account credentials.

It is not clear how hackers are exploiting this system, but they can set up new Microsoft accounts as new customers, and use this opportunity to send emails that come from the tech giant itself, which can trick people into thinking that these emails may be genuine.

Microsoft doesn’t seem to have a problem with this.

Last week, I received several, similarly designed emails with subject lines and web links to fraudulent websites from Microsoft on various email accounts. This cruelly produced Emails were sent from msonlineservicesteam@microsoftonline.coman email account that Microsoft uses to send important information to users, such as two-factor authentication codes and other warnings about their online account.

Some of these email lines resemble legitimate emails that may alert users to scams, while other emails claim to contain confidential messages that await the recipient at the Internet address specified in the email.

In Tuesday’s social media postThe anti-spam non-profit, The Spamhaus Project, said it had seen Microsoft’s account notification email address being misused to send spam, and that the activity had been going on for “several months.”

“Automatic notifications should not allow you to customize them,” Spamhaus wrote. The non-profit added that it had informed Microsoft about the matter.

When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged our inquiry, but did not comment or say whether the company has stopped the misuse of its account notification email.

This is the latest in a series of cases where hackers or hackers have misused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into the platform used by the fintech company Betterment to send fraud alerts which claims to have tripled the value of anyone sending crypto – a common scam used to steal people’s money.

Back in 2023, spoilers so is wrong luck to an email account managed by Namecheap to send phishing emails aimed at identity theft.

Some users commenting on social media say that other companies’ emails are also being used to send spam, suggesting that the issue is not just about Microsoft.