Microsoft account exploited to distribute spam and phishing links
TechCrunch reports that attackers have leveraged a loophole in Microsoft’s systems to send fraudulent emails from an official internal address, a vulnerability confirmed by The Spamhaus Project.
Scammers have exploited a persistent loophole to send spam emails from an internal Microsoft address, specifically [email protected], which is typically reserved for legitimate account alerts. The abuse, which has continued for several months, allows attackers to mimic official notifications, including two-factor authentication codes and fraud alerts. The Spamhaus Project confirmed the issue and notified Microsoft, but the company has not yet commented on whether the vulnerability has been resolved.
TechCrunch reported receiving several similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. The emails were crudely made and included claims of private messaging waiting for the recipient at a web address mentioned in the email body. Some subject lines resembled official emails alerting users to fraudulent transactions, while others directed recipients to external links.
In a social post on Tuesday, anti-spam non-profit The Spamhaus Project stated that automated notification systems should not allow this level of customization. The non-profit added that it has notified Microsoft of the issue, noting that the activity dated back several months. It remains unclear how the scammers are abusing the system to set up new Microsoft accounts as if they are new customers.
A Microsoft spokesperson acknowledged TechCrunch's inquiry earlier this week but has not yet provided further comment or confirmed if the abuse has stopped. The company has not yet commented on whether the vulnerability has been resolved, leaving the status of the fix uncertain for users relying on these alerts for security purposes.
This incident is part of a broader trend of hackers and scammers abusing company systems to trick unsuspecting customers. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications regarding cryptocurrency investments. In 2023, hackers abused access to an email account run by Namecheap to send out phishing emails aimed at stealing credentials. Other users on social media suggest that other companies' email addresses are also being used to send out spam, indicating the issue may not be limited to Microsoft.
