Spam
Cybercriminals have found a way to bypass security controls by exploiting a loophole that allows them to send spam and deceptive links directly from an official internal Microsoft email address. The compromised address is typically reserved for critical user notifications and account security alerts. [1, 2]
While the exact mechanism of the exploit remains unclear, scammers are reportedly setting up new Microsoft accounts as if they were genuine corporate clients. This access grants them the ability to distribute emails under the authoritative address
msonlineservicesteam@microsoftonline.com. Because the messages originate from a legitimate tech giant domain, unsuspecting users are highly susceptible to believing the correspondence is authentic. [1, 2, 3]The fraudulent emails frequently utilize subject lines designed to mimic official security warnings, such as urgent notices regarding suspicious transactions or alerts about private messages waiting for the recipient. In reality, these messages contain embedded links driving traffic to malicious, scam-ridden websites. [1, 2]
The Spamhaus Project, a prominent anti-spam non-profit organization, confirmed the ongoing abuse and noted that the activity has persisted for several months. "Automated notification systems should not allow this level of customization," the organization stated, confirming they have flagged the issue to Microsoft. When pressed for comment, a Microsoft spokesperson acknowledged the situation but refrained from detailing any remediation efforts or confirming if the exploit had been patched. [1, 2, 3]
This incident highlights a growing and dangerous trend where threat actors hijack trusted corporate infrastructure to conduct social engineering campaigns. Earlier this year, hackers compromised the systems of fintech platform Betterment to push fraudulent crypto promotions. Similarly, a past breach at domain registrar Namecheap allowed bad actors to send credential-harvesting phishing emails directly from the company’s infrastructure. Security monitors warn that this tactic is expanding across multiple industries, making traditional email verification filters less reliable for everyday consumers. [1, 2, 3, 4]
