Cybersecurity researchers have identified a sophisticated phishing campaign that abuses a legitimate Microsoft email address. The address [email protected] is a genuine Microsoft sender, but scammers have found a way to exploit it for malicious purposes.
The attack method does not involve spoofing the sender domain. Instead, threat actors appear to have gained the ability to send emails through Microsoft’s own email infrastructure using that official address. This makes the phishing emails appear entirely authentic to email security filters and to recipients.
Email authentication protocols such as SPF, DKIM, and DMARC are designed to prevent domain spoofing. However, when a message originates from an authorized server, those checks pass. Recipients see a green verified checkmark or a trusted sender label, which dramatically increases the likelihood of engagement.
The phishing emails typically contain urgent language regarding account security, subscription renewals, or password resets. The goal is to trick recipients into clicking a link that leads to a credential harvesting page. Because the email itself appears to come from Microsoft, victims often bypass normal caution.
How the attack works
Attackers leverage Microsoft’s own email sending services, likely through compromised partner accounts or through misconfigured Microsoft 365 tenants. Once they have control over a legitimate sending pipeline, they craft messages that appear to be official notifications.
The email headers show the sender as [email protected]. This address is commonly used by Microsoft for service alerts and billing communications. The familiarity of the sender name works to the attackers’ advantage.
The malicious links within these emails often point to counterfeit login pages hosted on compromised domains or on newly registered domains that mimic Microsoft properties. Some campaigns use URL shorteners to further obscure the destination.
Implications for domain owners and businesses
This incident underscores the limitations of email authentication technologies. Even rigorous DMARC enforcement cannot prevent abuse when messages originate from an authorized source. Domain owners must therefore adopt additional layers of verification.
For businesses that manage domain registrations and email services, this case highlights the importance of monitoring both inbound and outbound email pipelines. Organizations should implement advanced phishing detection tools that analyze message content and link destinations, not just sender reputation.
Domain owners should also ensure that their own email infrastructure is hardened against unauthorized use. Misconfigured Microsoft 365 tenants or exposed API keys can be exploited by attackers to send validly signed emails that appear to come from trusted senders.
Recommended protective measures
Users who receive an email from [email protected] should examine the message carefully before clicking any links. Microsoft never asks users to provide passwords or payment information via email.
Organizations should enable multi-factor authentication on all administrative accounts, limit the number of users with email sending permissions, and audit email logs regularly for unusual outbound patterns. Security teams should also review DMARC reports for any anomalous sending sources.
For domain registrants, it is prudent to lock domain settings and enable domain privacy where available. Phishing sites often rely on freshly registered domains with minimal WHOIS visibility. Monitoring domain registration activity for lookalike domains can help identify targeted campaigns early.
Microsoft has not yet issued a formal statement regarding the extent of this compromise or the remediation steps taken. The company typically addresses such vulnerabilities through configuration updates and by revoking compromised credentials internally. Affected users are advised to report suspicious emails to Microsoft’s security team and change any credentials that may have been exposed.
