FilterHN

Scammers are abusing an internal Microsoft account to send spam links

86 points

by spike021

4 hours ago

| past

| 6 comments

| techcrunch.com

| HN

▲

weinzierl

2 hours ago

[-]

Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.

But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.

▲

Abishek_Muthian

1 hour ago

[-]

Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.

Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.

▲

qingcharles

1 hour ago

[-]

Bluesky is even worse, some of their emails come from "moderation@blueskyweb.xyz".

They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

▲

vasco

32 minutes ago

[-]

Sending your id to a social media IS a scam.

▲

jquery

1 hour ago

[-]

At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?

▲

apimade

1 hour ago

[-]

Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.

It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.

▲

10000truths

1 hour ago

[-]

> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.

▲

inetknght

1 hour ago

[-]

> unable publish a list with all domains they officially use to send mail

That's because people report them as spam, so they hop domains to avoid that.

▲

spike021

2 hours ago

[-]

A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.

I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.

▲

wnevets

3 hours ago

[-]

Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.

▲

redwall_hp

2 hours ago

[-]

The ones I've seen from PayPal are basically from sending a large request for money to you, then in the freeform text field for the reason, putting fake "if you believe this is a scam, call [actually a scam number]" text.

▲

casty

52 minutes ago

[-]

I can confirm. Interestingly they actually put a random USDC transaction number from Coinbase which was very close (close enough that I thought it was accurate) of a transaction I actually did on Coinbase at one point. I was so confused so I ended up calling the number but immediately realized once they picked up what was going on. Essentially they got really lucky that my actual transaction amount was close enough to seem plausible.

This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.

▲

duskwuff

43 minutes ago

[-]

> This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items.

This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.

Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".

▲

MichaelZuo

3 hours ago

[-]

How does it work when a genuine microsoft domain is spending out spam?

Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?

▲

lelandbatey

3 hours ago

[-]

The domain is Microsoftonline.com

Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.

▲

nippoo

1 hour ago

[-]

I mean, it happened to the FBI... https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-...

▲

ChrisArchitect

1 hour ago

[-]

https://abnormal.ai/blog/system-notification-abuse-microsoft...