\n<\/p>\n
For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts.<\/p>\n
It\u2019s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers, and use that access to send out emails purportedly from the tech giant itself, potentially tricking people into thinking that these emails may be genuine.<\/p>\n
Microsoft doesn\u2019t yet appear to have gotten a handle on the issue.<\/p>\n
Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made<\/a> emails were sent from Some of these emails\u2019 subject lines resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private messaging waiting for the recipient at a web address mentioned in the email body.<\/p>\n In a social post on Tuesday<\/a>, anti-spam non-profit, The Spamhaus Project, said it had also seen Microsoft\u2019s account notification email address being abused to send spam, and that the activity dated back \u201cseveral months.\u201d<\/p>\n \u201cAutomated notification systems should not allow this level of customization,\u201d wrote Spamhaus. The non-profit added that it has notified Microsoft of the issue.<\/p>\n When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged our inquiry, but has not yet commented or said if the company has stopped the abuse of its account notification email.<\/p>\n This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications<\/a> that purported to triple the value of any crypto users send in \u2014 a widely known scam used to steal people\u2019s cryptocurrency. <\/p>\n Back in 2023, hackers similarly abused access<\/a> to an email account run by Namecheap to send out phishing emails aimed at stealing people\u2019s credentials.<\/p>\n Other users commenting on social media say that other companies\u2019 email addresses are also being used to send out spam, suggesting the issue is not limited to Microsoft.<\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\nmsonlineservicesteam@microsoftonline.com<\/code>, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account.<\/p>\n