Scammers are abusing an internal Microsoft account to send spam links

Key points

• For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts.
• It’s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers, and use that access to send out emails purportedly from the tech giant itself, potentially tricking people into thinking that these emails may be genuine.
• Microsoft doesn’t yet appear to have gotten a handle on the issue.
• Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts.
• These crudely made emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account....