Skip to content
Tech News
← Back to articles

Scammers are abusing an internal Microsoft account to send spam links

2026-05-24 | original
read original get Microsoft Security Awareness Kit → more articles
Why This Matters

Scammers are exploiting a loophole in Microsoft's internal email system to send fraudulent messages that appear legitimate, posing a significant security risk for consumers and the tech industry. This highlights vulnerabilities in automated notification systems and underscores the need for stronger safeguards against abuse. The ongoing issue emphasizes the importance of vigilance and improved security measures in corporate communication channels.

Key Takeaways

For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts.

It’s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers and use that access to send out emails purportedly from the tech giant, potentially tricking people into thinking these emails are genuine.

Microsoft doesn’t yet appear to have gotten a handle on the issue.

Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made emails were sent from [email protected] , an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account.

Some of these emails’ subject lines resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address mentioned in the email body.

Image Credits:TechCrunch (screenshot)

In a social post on Tuesday, anti-spam nonprofit The Spamhaus Project said it had also seen Microsoft’s account notification email address being abused to send spam and that the activity dated back “several months.”

“Automated notification systems should not allow this level of customization,” wrote Spamhaus. The nonprofit added that it has notified Microsoft of the issue.

When contacted by TechCrunch earlier this week, Microsoft acknowledged our inquiry but did not comment by press time.

In a statement provided after publication by Emelia Katon, representing Microsoft via a third-party public relations agency, the company said: “We are actively investigating and taking action against these phishing reports to help keep customers protected. This includes further strengthening our detection and blocking mechanisms, while removing accounts that violate our Terms of Use.”

... continue reading

Explore topics: microsoft phishing spam microsoftonline account security
Related:
Microsoft open-sources "the earliest DOS source code discovered to date"
The FBI Wants 'Near Real-Time' Access to US License Plate Readers
AI cost crisis hits tech giants as employee 'tokenmaxxing' backfires, sparking corporate pullback at Microsoft, Meta, and Amazon — agentic AI eats up to 1000x more tokens than standard AI
Microsoft’s new responsible tech lead on how to humanize high-speed AI development
US tech firms share Dutch regulator officials' names with Senate

© 2026 GoKawiil

About | Editorial Policy | Contact