Beware of this Microsoft account: sends spam emails for 2FA codes
Company and consumer anti-spam filters have always relied on a key concept: the reputation of the sending domain. A principled approach that is crumbling as a result of an abuse that Microsoft still seems unable to contain. For several months now, a group of scammers has been exploiting a logical vulnerability in Redmond's systems to send spam and phishing emails directly from an official Microsoft address: [email protected].
We are talking about the institutional mailbox that the company uses for critical communications, like sending two-factor authentication (2FA) codes and security alerts regarding online accounts. Receiving a message from this sender negates certain types of user defenses and, most importantly, bypasses any cybersecurity barrier, as the domain is legitimate and verified by definition.
Spam emails from an official Microsoft account: beware of this address
Although the complete technical details are not yet publicly available, the mechanism of abuse exploits the onboarding procedures of enterprise services. Scammers register normal Microsoft accounts, simulating being new business customers. Once inside the infrastructure, they manage to manipulate the automated notification systems, achieving a level of message customization that should never be granted to an external user. From here, Microsoft’s servers begin to disseminate emails signed by the tech giant that are filled with malicious links.
The intercepted messages feature rather crude yet effective bait, with subjects simulating fraudulent financial transactions or warning of urgent private communications on external portals, in an attempt to push the victim to click on the link. The non-profit organization The Spamhaus Project, a benchmark in tracking global spam activities, has publicly confirmed the anomaly, emphasizing how the illicit activity has been ongoing for months and how the automated notification systems should never allow this degree of text customization. Despite formal reports sent to Microsoft, the company has merely acknowledged the requests for comment without issuing official statements or confirming whether the vulnerability has indeed been closed.
Recently, the fintech platform Betterment was breached to send false notifications regarding cryptocurrency doubling scams, while in 2023, Namecheap experienced the compromise of an official email account that was later used for mass phishing campaigns. User reports on social media platforms indicate that the problem is simultaneously affecting the servers of other providers as well, a sign that the management of permissions on automated notification systems represents a new weak link in corporate security chains.