Scammers have been sending spam and scam links from [email protected], a real Microsoft account-alert address used for legitimate security notifications. The abuse matters most for Microsoft account holders and enterprise security teams because the messages do not merely mimic Microsoft — they appear to come through a trusted Microsoft sender, according to TechCrunch.
The activity has been running for “several months,” according to The Spamhaus Project, and Microsoft says it is now investigating phishing reports tied to the issue. The company has not publicly explained the loophole, the scale of affected users, or when the abuse will be fully contained.
Microsoft users are seeing scam links from a real account-alert address
The abused address, [email protected], is not an obvious throwaway sender. TechCrunch reports Microsoft uses it for important account notifications, including two-factor authentication codes and critical online account alerts.
That makes the campaign harder to dismiss at a glance. If the sender looks like a Microsoft-controlled address, why would an ordinary user treat it like a random phishing email?
TechCrunch said it received several similarly structured messages last week across different email accounts. The emails included subject lines and web links pointing to scammy sites. Some subject lines resembled official warnings about fraudulent transactions, while others claimed the recipient had a private message waiting at a web address listed in the email body.
The apparent abuse path is still murky. TechCrunch reported that scammers appear able to set up new Microsoft accounts as if they are new customers, then use that access to send emails that look like they came from Microsoft. The reporting does not establish exactly how the system is being manipulated.
Spamhaus publicly flagged the issue Tuesday and said the activity dated back “several months.”
“Automated notification systems should not allow this level of customization,” wrote Spamhaus.
Microsoft initially acknowledged TechCrunch’s inquiry but did not comment by press time. After publication, the company provided a statement through Emelia Katon, representing Microsoft via a third-party public relations agency.
“We are actively investigating and taking action against these phishing reports to help keep customers protected. This includes further strengthening our detection and blocking mechanisms, while removing accounts that violate our Terms of Use.”
Security teams lose a simple phishing test when the sender is legitimate
The obvious danger is trust. Users are trained to check the sender address. In this case, that check can fail because the email can appear to come from an address Microsoft actually uses.
For enterprises, the concern is sharper. Security teams often treat Microsoft account-alert emails as high-priority operational messages. If attackers can push scam links through a trusted notification channel, then user training, allowlists, and automated filtering rules may need tighter assumptions.
The supplied reporting does not say the messages delivered malware or stole credentials. But the risk path is clear: a recipient who trusts the sender could click into a scam site, a fake Microsoft login page, a payment lure, or another attacker-controlled destination. TechCrunch specifically reported links to scammy sites and subject lines that resembled fraud alerts or private-message prompts.
This is different from ordinary spoofing. In spoofing, the attacker pretends to be Microsoft from outside Microsoft’s systems. Here, the issue described by TechCrunch is abuse of a Microsoft notification mechanism itself.
That distinction matters because filters may treat authenticated or familiar infrastructure differently from unknown senders. The article does not say which authentication checks the emails passed, but the sender identity alone raises the practical burden on recipients and mail administrators.
The incident also lands amid separate Microsoft-related scrutiny. MLXIO has recently covered unrelated Microsoft security and platform issues, including Microsoft Defender Zero-Days Hand Hackers SYSTEM Keys and YellowKey Bypasses BitLocker, Microsoft Has No Patch. Those reports are separate from this email-abuse case, but they underscore why readers are watching Microsoft’s security handling closely.
A pattern beyond Microsoft
TechCrunch tied the Microsoft incident to other recent cases where attackers abused legitimate company systems rather than only impersonating brands from the outside.
Earlier this year, hackers broke into a platform used by Betterment to send fraudulent notifications promising to triple the value of crypto users sent in — a known scam format used to steal cryptocurrency. In 2023, hackers also abused access to an email account run by Namecheap to send phishing emails aimed at stealing credentials.
TechCrunch also reported that social media users said other companies’ email addresses are being used to send spam, suggesting the issue may not be limited to Microsoft. The article does not verify those other reports in detail.
Microsoft account holders should stop clicking alert links by reflex
For end users, the safest move is simple: do not click links in unexpected Microsoft account-alert emails, even if the sender looks familiar. Navigate directly to Microsoft’s official website or account portal instead.
That advice is less convenient, but it cuts out the attacker-controlled link. If an email claims there was a fraudulent transaction, a private message, or urgent account action, verify it from inside the account after typing the address yourself or using a trusted bookmark.
Practical steps now:
- Check account activity: Review recent sign-ins from Microsoft’s official account security page.
- Keep MFA on: Do not disable multifactor authentication because an email claims it is causing a problem.
- Report suspicious messages: Use your email client’s phishing-reporting flow or Microsoft’s reporting tools.
- Avoid embedded links: Treat links in unexpected Microsoft-branded alerts as untrusted until verified elsewhere.
IT teams should also review mail logs for unusual Microsoft-branded notification campaigns and warn employees that sender checks alone may not be enough. Link-scanning rules and user-awareness guidance should account for the possibility of messages arriving from legitimate-looking Microsoft infrastructure.
The immediate watch item is Microsoft’s next disclosure. The company has said it is investigating and removing violating accounts, but it has not yet explained the loophole, confirmed whether the abused mechanism has been disabled, or published detailed customer guidance. Until that changes, Microsoft alerts deserve verification before action — especially when they ask users to click.
Impact Analysis
- Scammers are exploiting trust in a real Microsoft sender address, making phishing emails harder for users to spot.
- Microsoft account holders may be more likely to click malicious links if alerts appear to come from a legitimate security-notification account.
- Enterprise security teams may need to adjust filtering and user guidance because sender authenticity alone may not be enough to verify these messages.
