Scammers are abusing an internal Microsoft account to send spam links | TechCrunch

TechCrunch Desktop Logo

TechCrunch Mobile Logo

LatestStartupsVentureAppleSecurityAIApps

EventsPodcastsNewsletters

SearchSubmit

Site Search Toggle

Mega Menu Toggle

Topics

Latest

AI

Amazon

Apps

Biotech & Health

Climate

Cloud Computing

Commerce

Crypto

Enterprise

EVs

Fintech

Fundraising

Gadgets

Gaming

Google

Government & Policy

Hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

Space

Startups

TikTok

Transportation

Venture

More from TechCrunch

Staff

Events

Startup Battlefield

StrictlyVC

Newsletters

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

Image Credits:Deb Cohn-Orbach/UCG/Universal Images Group / Getty Images

Security

Scammers are abusing an internal Microsoft account to send spam links

Zack Whittaker

4:42 AM PDT · May 21, 2026

For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts.
It’s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers and use that access to send out emails purportedly from the tech giant, potentially tricking people into thinking these emails are genuine.

Microsoft doesn’t yet appear to have gotten a handle on the issue.
Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account.
Some of these emails’ subject lines resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address mentioned in the email body.
Image Credits:TechCrunch (screenshot)
In a social post on Tuesday, anti-spam nonprofit The Spamhaus Project said it had also seen Microsoft’s account notification email address being abused to send spam and that the activity dated back “several months.”
“Automated notification systems should not allow this level of customization,” wrote Spamhaus. The nonprofit added that it has notified Microsoft of the issue.
When contacted by TechCrunch earlier this week, Microsoft acknowledged our inquiry but did not comment by press time.
In a statement provided after publication by Emelia Katon, representing Microsoft via a third-party public relations agency, the company said: “We are actively investigating and taking action against these phishing reports to help keep customers protected. This includes further strengthening our detection and blocking mechanisms, while removing accounts that violate our Terms of Use.”
This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications that purported to triple the value of any crypto users send in — a widely known scam used to steal people’s cryptocurrency.

Back in 2023, hackers similarly abused access to an email account run by Namecheap to send out phishing emails aimed at stealing people’s credentials.
Other users commenting on social media say that other companies’ email addresses are also being used to send out spam, suggesting the issue is not limited to Microsoft.
Updated with a response from Microsoft.

Topics

cyberattacks, cybersecurity, Microsoft, phishing, scam, Security

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Zack Whittaker

Security Editor

Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.
He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio

May 27
Athens, Greece

StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone.

REGISTER NOW

Most Popular

You can no longer Google the word ‘disregard’

Russell Brandom

Six search engines worth trying now that Google isn’t really Google anymore

Amanda Silberling

Jensen Huang says he’s found a ‘brand new’ $200B market for Nvidia

Julie Bort

Sam Altman makes ‘mic drop’ offer to every Y Combinator startup

Julie Bort

Intuit to lay off over 3,000 employees to refocus on AI

Ram Iyer

Google Search as you know it is over

Sarah Perez

Elon Musk has lost his lawsuit against Sam Altman and OpenAI

Tim Fernholz

Loading the next article

Error loading the next article

X
LinkedIn
Facebook
Instagram
youTube
Mastodon
Threads
Bluesky

TechCrunchStaffContact UsAdvertiseCrunchboard JobsSite Map
Terms of ServicePrivacy PolicyRSS Terms of UseCode of Conduct
Google SearchSpotifyOuraTrump MobileMetaTech LayoffsChatGPT

© 2026 TechCrunch Media LLC.

Scammers have been exploiting a loophole to send spam links from an internal Microsoft email address typically used for legitimate user notifications, such as two-factor authentication codes and critical account alerts. The method involves scammers setting up new Microsoft accounts and using this access to send emails that purport to originate from the tech giant, aiming to deceive recipients into believing the messages are authentic. This exploitation targets internal Microsoft notification addresses, such as msonlineservicesteam@microsoftonline.com, which is designated for important user alerts.

The issue has been highlighted by external organizations; the Spamhaus Project observed that the abuse of Microsoft's account notification email address for sending spam dates back several months and commented that automated notification systems should not permit this level of customization. The Spamhaus Project has notified Microsoft regarding this vulnerability.

In response to reports, Microsoft acknowledged the inquiry from TechCrunch but did not provide immediate comment. However, Emelia Katon, representing Microsoft via a third-party public relations agency, subsequently stated that the company is actively investigating and taking action against these phishing reports. This action includes strengthening detection and blocking mechanisms and removing accounts that violate Microsoft's Terms of Use. This incident is part of a pattern where hackers or scammers abuse company systems to target unsuspecting customers, referencing earlier examples such as hackers exploiting a fintech platform to send fraudulent cryptocurrency notifications and another instance where access to a Namecheap email account was used to distribute phishing emails to steal credentials in 2023. The situation suggests that this vulnerability is not isolated to Microsoft, as other company email addresses have also been reported as being used for spam distribution.