Scammers Are Sending Phishing Emails from a Real Microsoft Email Address

Phishing scams just got harder to detect. Scammers are now sending fraudulent emails from a legitimate Microsoft email address, bypassing the one safety check most users rely on to verify whether an email is genuine.

Scammers Are Sending Phishing Emails from a Real Microsoft Email Address

For several months, scammers have been exploiting a loophole in Microsoft’s notification system. They are using the address [email protected] to send spam and phishing emails to users across multiple inboxes.

This is not a spoofed address. Microsoft actually uses this email to send official account alerts, including two-factor authentication (2FA) codes and critical security notifications. The scammers appear to have found a way to abuse Microsoft’s own notification infrastructure, sending their messages through the real sender address so recipients see a legitimate Microsoft origin.

TechCrunch first reported the issue after receiving several similarly structured spam emails from this address across different accounts. The anti-spam nonprofit The Spamhaus Project confirmed it had also observed the abuse, noting the activity dated back several months. Spamhaus stated that automated notification systems should not allow this level of customization, and it has since notified Microsoft of the issue.

How Scammers Are Exploiting Microsoft’s System

The exact method is still under investigation, but current evidence points to a specific approach. Scammers appear to be creating new Microsoft accounts as if they are ordinary customers and then using that account access to send emails that route through Microsoft’s official notification system.

Because the sender address is genuine, standard email authentication checks pass without flagging the message. Most email clients and spam filters rely heavily on sender verification, so emails arriving from [email protected] receive trusted status by default.

Cybersecurity researchers at Mimikama described the attack as the misuse of a legitimate notification system or an associated account mechanism, noting it goes beyond a spoofed display name (via PCWorld). The real sender infrastructure is being used, not just imitated.

Why This Attack Is Harder to Spot Than Typical Phishing

Traditional phishing advice tells users to hover over the sender’s address and confirm it belongs to a legitimate domain. That advice fails completely against this attack. The domain is real, the address is real, and the email passes authentication checks most security tools perform automatically.

The subject lines in these fraudulent emails also mirror language Microsoft uses in genuine security alerts. Some emails warn recipients about suspicious transactions. Others claim a private or confidential message is waiting at a link in the email body. Both approaches create urgency and push users toward clicking without thinking.

This makes the attack significantly more convincing than typical phishing attempts. AI security scams have already made email fraud harder to detect in 2026, and this Microsoft loophole adds another layer of difficulty for everyday users.

The FBI has separately warned about sophisticated campaigns targeting Microsoft users. The FBI warned about Kali365, a phishing-as-a-service platform built to hijack Microsoft 365 accounts without stealing passwords or intercepting MFA codes. These campaigns now operate alongside the Microsoft notification address abuse, giving scammers multiple angles to target the same users.

How to Protect Yourself

Since you cannot rely on the sender address to detect this scam, you need to shift your focus to the email’s content and how you respond to it.

Do not click any links in the email. Instead, open Microsoft’s official website or app directly and check whether any alerts or warnings exist on your actual account dashboard. If no alert appears there, the email is fraudulent.

Watch for these red flags in the email content:

  • Subject lines that create urgency or warn of suspicious activity you did not initiate
  • Links pointing to unfamiliar domains or URLs that do not belong to Microsoft
  • Requests to verify a transaction you have no record of
  • Messages claiming a private or confidential document is waiting at a link

If you receive one of these emails and accidentally click a link, change your Microsoft account password immediately and review recent account activity for any unauthorized access. Users who find themselves locked out after interacting with a suspicious email can follow the steps in How to Fix Microsoft Account Locked Out of Outlook and Recover Your Emails.

If your inbox stops receiving messages after clicking a suspicious link, the guide on how to fix Outlook not receiving emails on laptop and phone covers quarantine checks, rule audits, and sync fixes.

Microsoft’s Response

Microsoft released a statement after TechCrunch made contact, later picked up by Windows Central:

“We are actively investigating and taking action against these phishing reports to help keep customers protected. This includes further strengthening our detection and blocking mechanisms, while removing accounts that violate our Terms of Use.”

The company has not disclosed the technical details of the loophole or provided a timeline for a permanent fix. It is currently unclear whether only new accounts, specific workflows, or individual notification functions are affected.

Microsoft has been dealing with a wider range of email-related security problems recently. The company confirmed an Exchange Online bug that flags legitimate emails as phishing, forcing messages into quarantine and disrupting delivery for organizations worldwide. The notification address abuse is a separate issue but compounds the overall trust problem users face when evaluating emails that appear to come from Microsoft.

This incident also fits a broader pattern beyond Microsoft. Earlier in 2026, hackers breached a platform used by fintech firm Betterment to push fraudulent crypto notifications. In 2023, attackers abused Namecheap’s email account to send credential-harvesting phishing emails. Social media reports now suggest other companies’ notification addresses are also being abused, which means the loophole may not be limited to Microsoft.

Coordinated phishing campaigns like this one also serve as the entry point for larger attacks. Research into how ransomware chooses its victims shows that most intrusions begin with opportunistic phishing rather than targeted technical exploits, which makes staying alert to emails like these a meaningful first line of defense.

FAQs

Is [email protected] a real Microsoft email address?

Yes. Microsoft uses this address to send 2FA authentication codes and official account notifications. Scammers are currently abusing it to deliver phishing emails, which makes their messages significantly harder to identify as fraudulent by checking the sender alone.

How can I tell if a Microsoft email is a phishing scam?

Do not rely on the sender address alone. Check whether the email creates false urgency, contains links to non-Microsoft domains, or references transactions you did not initiate. Go directly to your Microsoft account dashboard to verify any alerts instead of clicking links in the email.

What should I do if I clicked a phishing link from a Microsoft email address?

Change your Microsoft account password immediately. Enable two-factor authentication if it is not already active. Review recent sign-in activity for unauthorized access and revoke any sessions you do not recognize.

Is Microsoft working on a fix for this phishing loophole?

Microsoft confirmed it is investigating and has begun removing accounts that violate its Terms of Use. No technical fix or timeline has been publicly announced.

Has this phishing scam affected other companies too?

Social media reports indicate other companies’ notification email addresses are also being abused to send spam, which suggests the loophole extends beyond Microsoft’s systems.

Can spam filters catch these phishing emails?

Standard spam filters that rely on sender address verification cannot catch these emails because the sender address is legitimate. Content-based filtering and personal vigilance are currently the most reliable defenses.

Related Cybersecurity

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply