Back

Scammers Exploit Microsoft Email System for Phishing Attacks

Severity: High (Score: 66.0)

Sources: Sea.Mashable, Techbuzz.Ai, www.bleepingcomputer.com, Mashable, Zamin.Uz

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: microsoft, scammers, internal, account, send, spam, email

Summary

Cybercriminals have discovered a method to exploit Microsoft's internal email system, specifically the [email protected] address, to send phishing emails that appear legitimate. This vulnerability allows attackers to send emails that bypass traditional security filters, as they originate from a trusted Microsoft domain. The emails often contain fraudulent financial alerts or links to malicious websites, targeting enterprise customers who rely on Microsoft's notifications. The exact method of exploitation is unclear, but it involves manipulating Microsoft's automated email systems. The Spamhaus Project has confirmed that this issue has been ongoing for several months, and Microsoft has yet to provide a detailed response or fix. Security experts warn that this could lead to significant risks for users who are conditioned to trust Microsoft notifications. The scope of the impact remains uncertain, but it poses a serious threat to organizations using Microsoft services. Key Points: • Scammers are using a legitimate Microsoft email address to send phishing emails. • The exploit bypasses traditional security filters, making detection difficult. • The Spamhaus Project confirmed the issue has been ongoing for several months.

Detailed Analysis

**Impact** The attack affects Microsoft 365 users globally, including enterprise customers and Fortune 500 companies relying on Microsoft’s email infrastructure. Over 250 Microsoft 365 tenants have been abused to send more than 2,000 unique phishing messages. The scam targets users by delivering fraudulent financial alerts and phishing links from legitimate Microsoft notification emails, risking credential theft, financial fraud, and potential account compromise. Other sectors impacted include domain registrar clients, as seen in a separate phishing campaign targeting Namecheap users. **Technical Details** Attackers exploit Microsoft Entra ID tenant branding to inject scam messages into system notification emails sent from the legitimate internal address [email protected]. The technique abuses tenant name fields to embed fraudulent content, triggering Microsoft’s automated security info verification emails to targets. Attackers create disposable Microsoft 365 tenants and automate user creation and authentication method configuration via Microsoft Graph PowerShell SDK. Evasion tactics include homoglyph substitutions, regex obfuscation of phone numbers, and “burn-and-churn” tenant cycling. No specific CVEs or malware are mentioned. The attack occurs at the delivery and exploitation stages of the kill chain. **Recommended Response** Enterprises should implement multi-factor verification for any Microsoft account alerts, including out-of-band confirmation methods, and educate users to scrutinize emails even from trusted Microsoft domains. Security teams should monitor for unusual Microsoft tenant creation and authentication method configurations via Microsoft Graph API logs. Blocking or filtering emails based solely on domain authentication is ineffective; instead, focus on behavioral anomalies and tenant branding changes. Microsoft has not yet released patches or detailed mitigation guidance; defenders should monitor official channels for updates.

Source articles (7)

  • Scammers are using an internal Microsoft account to distribute spam — Zamin.Uz · 2026-05-21
    For several months, scammers have been exploiting a vulnerability in an internal Microsoft email address intended for sending official notifications. Criminals have been able to register Microsoft acc…
  • Namecheaps Email Hacked To Send Metamask Dhl Phishing Emails — www.bleepingcomputer.com · 2026-05-21
    Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrenc…
  • Internal Microsoft account being used to send scams, phishing links — Mashable · 2026-05-21
    If you've ever received an email from " [email protected] ," you'll know that this is an official email address used by Microsoft. However, users should be aware that emails from this official Microso…
  • Scam alert: An official Microsoft email is being used for phishing links — Sea.Mashable · 2026-05-21
    If you've ever received an email from " [email protected] ," you'll know that this is an official email address used by Microsoft. However, users should be aware that emails fro…
  • Scammers are abusing an internal Microsoft account to send spam links — Techcrunch · 2026-05-21
    For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts. It’s…
  • Scammers are abusing an internal Microsoft account to send spam links — Techbuzz.Ai · 2026-05-21
    Scammers have found a way to weaponize Microsoft's own infrastructure against its users. A newly discovered loophole allows bad actors to send phishing emails from a legitimate Microsoft email address…
  • System Notification Abuse Microsoft Phishing — abnormal.ai · 2026-05-21
    Attackers exploit Microsoft Entra ID to inject malicious messages into legitimate system emails, bypassing authentication and deceiving users. Attackers love exploiting legitimate platforms, using too…

Timeline

  • 2026-05-21 — Scammers exploit Microsoft email system: Cybercriminals use [email protected] to send phishing emails, bypassing security filters.
  • 2026-05-21 — Spamhaus Project confirms ongoing issue: The non-profit organization reported that the abuse of Microsoft's email system has been occurring for several months.
  • 2026-05-21 — Microsoft has not addressed the issue: Despite inquiries, Microsoft has not provided a detailed response or solution to the email abuse problem.

Related entities

  • Phishing (Attack Type)
  • Burn-and-churn (Campaign)
  • Betterment (Company)
  • Microsoft (Company)
  • Namecheap (Company)
  • Azure (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • microsoftonline.com (Domain)
  • obfuscation.by (Domain)
  • onmicrosoft.com (Domain)
  • williford316.onmicrosoft.com (Domain)
  • [email protected] (Email)
  • [email protected] (Email)
  • [email protected] (Email)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Azure AD (Platform)
  • Canva (Platform)
  • Exchange Server (Platform)
  • Microsoft 365 (Platform)
  • Microsoft Entra ID (Platform)
  • Google Drive (Tool)
  • Microsoft Graph PowerShell SDK (Tool)
  • PowerShell (Tool)
  • SendGrid (Tool)
  • Twilio SendGrid (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed