Official Microsoft emails can no longer be trusted.
Scammers have discovered a method to misuse an official Microsoft email address to distribute cybercrimes.
If you’ve received an email from “[email protected],” you may know it as an official address used by Microsoft. However, users should be cautious, as emails from this address could be scams. Scammers have exploited this legitimate address to send fraudulent emails, and they’re increasingly using this tactic.
Recently, several people on social media reported receiving scam emails from a real Microsoft email address called “[email protected].” These emails resemble standard Microsoft communications, using the company’s common templates. However, their subject lines often promote Bitcoin or third-party websites and include unauthorized phone numbers or web links.
The reason these emails appear legitimate is that they technically originate from Microsoft. The company typically uses this email to send notifications like two-factor authentication codes or account notices. However, scammers are injecting their schemes into these emails, bypassing scam or spam detection in users’ inboxes.
According to TechCrunch, Microsoft has yet to address this issue or issue a statement, even though it’s been ongoing for some time. A report from cybersecurity firm Abnormal detailed how attackers abuse Microsoft’s notification email system, tricking it into sending phishing emails.
“The attack begins with the bad actor creating a disposable Microsoft 365 tenant,” explains the report by Abnormal. “The core exploit lies in the Tenant Branding configuration within Microsoft Entra ID. The attacker modifies the ‘Name’ field in Tenant Properties to display a fraudulent financial alert message.”
With the name modified, the attacker tricks Microsoft into sending a verification code email to the target, asking to add the target’s email to the attacker’s account. When sent, Microsoft includes the name in the subject line, which in this case, shows the scammer’s message.
Using Microsoft’s trusted email address without malicious links or attachments allows these emails to bypass security measures. As cybercriminals become more resourceful, users should scrutinize emails they receive, even from seemingly legitimate senders.