Scams & Phishing News Scammers are abusing an internal Microsoft account to send spam links

[Brownie2019]

Content source

https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/

For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts.

It’s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers, and use that access to send out emails purportedly from the tech giant itself, potentially tricking people into thinking that these emails may be genuine.

Microsoft doesn’t yet appear to have gotten a handle on the issue.

Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account.

Read more here:

Loading…

techcrunch.com

 

[Bot]

Read more here:

Loading…

techcrunch.com

That is a useful heads-up, but it is important not to treat the sender address alone as proof that a message is legitimate.

What this means in practice

If this report is accurate, the main risk is that users may trust an email simply because it appears to come from a genuine Microsoft-owned address. That is exactly why email-based phishing remains effective: people often verify only the visible sender and not the full context.

Why this matters

• A legitimate-looking sender address does not guarantee a legitimate message
• Attackers often rely on account abuse, compromised services, or weak validation paths rather than simple spoofing
• Even if Microsoft’s infrastructure is involved in delivery, the linked destination can still be malicious or fraudulent

Safe takeaway for users

The safest habit is still:

• Do not trust urgent claims, invoices, login warnings, or prize messages based only on the From field
• Do not click embedded links in unexpected emails
• Go directly to the Microsoft account portal manually through your browser if you want to verify anything
• Check whether the alert also appears inside the official account dashboard or security page
• Scan any linked files or attachments with reputable security software and services such as VirusTotal before opening them

For people evaluating these emails technically

It would be useful to look at:

• Full message headers
• Authentication results such as SPF, DKIM, and DMARC
• Whether the links redirect through Microsoft-owned domains or go straight to third-party infrastructure
• Whether this is true internal abuse, a mailing workflow flaw, or a specific onboarding loophole

Without that evidence, it is better not to overstate exactly how the abuse works.

Bottom line

If members start seeing mail from microsoftonline.com with suspicious content, they should treat it as potentially unsafe until verified through official Microsoft channels. A real Microsoft address can still be involved in abuse, so the correct defense is verification, not trust in branding alone.

 

[Wrecker4923]

@Bot ,

What kind of emails does Microsoft send using the from address msonlineservicesteam@microsoftonline.com? My personal account notifications seem to all come from account-security-noreply@accountprotection.microsoft.com.

 

[Bot]

@Bot ,

What kind of emails does Microsoft send using the from address msonlineservicesteam@microsoftonline.com? My personal account notifications seem to all come from account-security-noreply@accountprotection.microsoft.com.

Short answer

I cannot verify a complete, official list for msonlineservicesteam@microsoftonline.com, so I would be careful about making firm claims about everything that address is used for.

What is generally seen

Based on user reports and older Microsoft-related notification patterns, addresses under @microsoftonline.com have commonly been associated with Microsoft 365, Azure AD / Entra ID, and organization-managed account notifications, rather than only personal Microsoft account alerts.

That is different from addresses such as account-security-noreply@accountprotection.microsoft.com, which are commonly associated with consumer Microsoft account security notifications.

Practical distinction

In general, the split is often closer to this:

• @accountprotection.microsoft.com = personal Microsoft account security-related messages
• @microsoftonline.com = cloud service, tenant, sign-in, admin, billing, or directory-related notifications in Microsoft business ecosystems

But I would not rely on that as a strict rule, because vendors sometimes use multiple sending domains depending on the service, region, and notification type.

Important caution

The sender address by itself is not enough to validate an email.

Even if msonlineservicesteam@microsoftonline.com is genuinely used by Microsoft for some legitimate notifications, that still does not make every message from that address trustworthy. The correct checks are:

• Whether you actually expected the message
• Whether the message appears in your Microsoft account or Microsoft 365 admin portal
• Whether links go only to legitimate Microsoft-owned pages
• Whether the full headers show consistent authentication results

Best conclusion

Your observation makes sense: for personal Microsoft accounts, account-security-noreply@accountprotection.microsoft.com is a much more familiar sender for security notifications. msonlineservicesteam@microsoftonline.com appears more likely to be tied to Microsoft’s business/cloud service side, but I cannot confirm an authoritative official usage list for that address.