Scammers Abuse Microsoft Account

For months, scammers have been taking advantage of a loophole to send spammy emails from an internal Microsoft email address. The emails are sent from msonlineservicesteam@microsoftonline.com, an account typically used for sending important notifications to users.

Abuse of Microsoft Account

Scammers have been able to set up new Microsoft accounts and use that access to send out emails purportedly from the tech giant itself. The emails contain subject lines and web links to scammy sites, potentially tricking people into thinking they are genuine. Some emails resemble official emails that would alert users to fraudulent transactions, while others claim to have a private messaging waiting for the recipient at a web address mentioned in the email body.

Response from Microsoft and Others

Microsoft doesn't yet appear to have gotten a handle on the issue. Spamhaus, a non-profit, has notified Microsoft of the issue and commented that 'Automated notification systems should not allow this level of customization.' A Microsoft spokesperson acknowledged an inquiry but has not yet commented or said if the company has stopped the abuse of its account notification email.

Key points

• Scammers are sending spam emails from a Microsoft internal account, msonlineservicesteam@microsoftonline.com.
• The emails appear to be legitimate account alerts, but contain links to scammy sites.
• Spamhaus has notified Microsoft of the issue and commented on the vulnerability of automated notification systems.
• The issue is not limited to Microsoft, as other companies' email addresses are also being used to send out spam.
• This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers.