Scammers Exploit Microsoft's Account Notification Address to Blast Phishing Emails

Spammers have spent months abusing msonlineservicesteam@microsoftonline.com — the internal address Microsoft uses to deliver 2FA codes and account alerts — to push phishing links from a sender domain users are trained to trust. The mechanism isn’t fully understood, but attackers appear to be registering fresh Microsoft accounts and leveraging the resulting notification flow to inject custom subject lines and body content that mimic fraud warnings or private-message alerts.

Anti-spam group Spamhaus confirmed the activity stretches back several months and faulted Microsoft for letting an automated notification system accept that level of attacker-controlled customization. Microsoft initially didn’t respond, then said it is investigating, tightening detection, and removing offending accounts.

The incident fits a recurring pattern of attackers hijacking legitimate transactional email channels — Betterment’s notification platform and a Namecheap email account were abused the same way in prior years — because messages from trusted infrastructure bypass both spam filters and user skepticism. Commenters report similar abuse of other vendors’ notification addresses, suggesting the underlying problem is industry-wide neglect of output sanitization in automated mail pipelines.