Scammers are sending phishing emails from a real Microsoft address
Summary created by Smart Answers AI
Table of Contents
In summary:
- PCWorld reports that scammers are exploiting a legitimate Microsoft email address, [email protected], to send convincing phishing emails to users.
- This compromised address typically handles official 2FA codes and account notifications, making fraudulent messages extremely difficult to detect through sender verification alone.
- Users should avoid clicking suspicious email links and instead verify any Microsoft account warnings by directly accessing official Microsoft websites or apps.
For the last several months, scammers have co-opted an internal Microsoft email address—a legitimate email that’s used for alerts and notifications—to send spam emails to random people.
First reported by TechCrunch and later resurfaced by a warning from Mimikama (machine translated), these scam emails are sent from [email protected], which is normally used to send 2FA authentication codes and other account notices.
And it isn’t being spoofed—the email address is apparently compromised. In these scam emails from this address, the links within look official but are actually phishing links.
Mimikama explains:
Based on current information, there is considerable evidence to suggest that criminals were indeed able to send messages using a genuine Microsoft sender address. This likely refers to more than just a spoofed display name. Rather, it describes the misuse of a legitimate notification system or an associated account mechanism.
To spot this scam, it’s not enough to simply hover your mouse pointer over the sender’s address and check if it’s from an actual reputable email address. In this case, the sender’s address will be legit and you’ll have to evaluate whether it’s a scam based on the content of the email.
Here’s what you should do
Don’t click on any links in the email. Instead, open the relevant Microsoft services directly via their official website or app. There, you can then check whether there really is a warning, message, or alert for your account. If there isn’t, the email is fraudulent.
You can spot fraudulent emails with a few other red flags, for example, by inappropriate subject lines, strange phrasings, and links to unfamiliar domains. It’s always wise to be wary of any email that tries to pressure you or demand that you take urgent action.
Microsoft has been informed and is currently investigating this phishing incident. It’s currently unknown how the hackers are able to exploit this genuine email address, and it’s unknown whether only new accounts, specific workflows, or individual notification functions are affected.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
