For months, scammers have been benefiting from a loophole that permits them to ship spammy emails from an inner Microsoft electronic mail deal with usually used for sending legit account alerts.
It’s not clear how the scammers are abusing the system, however they’ve been in a position to arrange new Microsoft accounts as if they’re new clients, and use that entry to ship out emails purportedly from the tech large itself, probably tricking folks into pondering that these emails could also be real.
Microsoft doesn’t but seem to have gotten a deal with on the problem.
Final week, I obtained a number of, equally structured emails containing topic traces and net hyperlinks to scammy websites from Microsoft throughout totally different electronic mail accounts. These crudely made emails have been despatched from msonlineservicesteam@microsoftonline.com, an electronic mail account that Microsoft makes use of to ship necessary notifications to customers, corresponding to two-factor authentication codes and different important alerts about their on-line account.
A few of these emails’ topic traces resembled official emails that may alert customers to fraudulent transactions, whereas different emails claimed to have a personal messaging ready for the recipient at an internet deal with talked about within the electronic mail physique.
In a social post on Tuesday, anti-spam non-profit, The Spamhaus Venture, stated it had additionally seen Microsoft’s account notification electronic mail deal with being abused to ship spam, and that the exercise dated again “a number of months.”
“Automated notification techniques shouldn’t enable this degree of customization,” wrote Spamhaus. The non-profit added that it has notified Microsoft of the problem.
When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged our inquiry, however has not but commented or stated if the corporate has stopped the abuse of its account notification electronic mail.
That is the most recent in a rash of incidents during which hackers or scammers have abused firm techniques to trick unsuspecting clients in latest months. Earlier this 12 months, hackers broke right into a platform utilized by fintech agency Betterment to send out fraudulent notifications that presupposed to triple the worth of any crypto customers ship in — a broadly recognized rip-off used to steal folks’s cryptocurrency.
Again in 2023, hackers similarly abused access to an electronic mail account run by Namecheap to ship out phishing emails aimed toward stealing folks’s credentials.
Different customers commenting on social media say that different firms’ electronic mail addresses are additionally getting used to ship out spam, suggesting the problem will not be restricted to Microsoft.
Once you buy by way of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
