Inside Job: How Scammers Hijacked Microsoft’s System to Deliver Spam
A major security loophole is allowing digital scammers to exploit Microsoft’s internal infrastructure. For months, bad actors have taken advantage of a system vulnerability that lets them send spam emails directly from an official Microsoft email address. The address in question is normally reserved for legitimate automated account alerts. Because the messages originate from inside the house, they easily slide past traditional spam filters, tricking unsuspecting users into thinking the communication is completely genuine.
It remains unclear exactly how the scammers are manipulating the backend, but they have managed to script a process that sets up new Microsoft accounts as if they are brand new customers. From there, they use an internal notification loop to blast out phishing lures. Microsoft has not yet managed to patch the vulnerability or stop the ongoing abuse.
Tearing Down the Trust Layer
The exploit targets an email account that Microsoft relies on to distribute critical notifications, such as two-factor authentication codes and online account alerts. The specific address used in the attack is msonlineservicesteam@microsoftonline.com. By utilizing this high-reputation domain, the spam messages inherently pass standard security checks like SPF, DKIM, and DMARC.
The subject lines of the fraudulent messages mimic official system security alerts. Some warn the recipient that they have an unread private message waiting for them, while others instruct users to verify their account details by clicking a link embedded in the body of the email. If a user follows the link, they are taken to an external website designed to harvest credentials or install malicious software.
A Growing Threat to Cloud Infrastructure
On Tuesday, May 19, 2026, the anti-spam non-profit organization Spamhaus flagged the ongoing campaign on social media. The group stated that automated notification systems should never allow this level of open customization by unverified external users. Spamhaus confirmed it reached out to Microsoft directly to report the issue, noting that the malicious activity has been running unchecked for several months. When contacted for a statement, a Microsoft spokesperson acknowledged the inquiry but declined to comment on whether the company has successfully stopped the account notification abuse.
This incident is the latest in a string of attacks where hackers have weaponized legitimate cloud infrastructure to trick corporate users. Earlier this year, attackers broke into a widely used fintech platform to distribute fraudulent notifications that promised to triple users’ cryptocurrency deposits, resulting in massive theft. A similar exploit occurred where threat actors hijacked a trusted corporate email account to blast out credential-harvesting links to thousands of customers.
Security experts warn that traditional email gateway filters are completely blind to this technique because the sending source is technically a trusted platform. As long as tech companies leave their automated onboarding tools open to metadata manipulation, scammers will continue to use their own servers against them.
