<![CDATA[❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[.]]>❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. ]com' for spam distribution.

The header and message body appear completely legitimate - the abuse is happening through injection into the Subject:

️ Here's an example:
"Your PayPal order for 0.0092 BTC ($699.99) is complete. Not you? Call +1 (803) 237-5050 account email verification code."

At this point, it appears the attacker may have simply set the malicious text as either the account name or the organization name.

This also appears to line up with what @zackwhittaker TechCrunch Security Editor identified last week:
https://mastodon.social/@zackwhittaker/116562360000833298

....although the activity we’re seeing appears to stretch back several months.

Takeaway: automated notification systems should not allow this level of customization.

Microsoft has been informed of this abusive activity.

Link Preview Image
]]>https://board.circlewithadot.net/topic/daf42584-63aa-48ea-afe8-2b7ce41fb049/we-ve-observed-a-scammer-clearly-abusing-microsoft-s-msonlineservicesteam@microsoftonline-.RSS for NodeMon, 25 May 2026 12:11:27 GMTTue, 19 May 2026 12:36:30 GMT60<![CDATA[Reply to ❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. on Wed, 20 May 2026 14:14:13 GMT]]>@spamhaus @GossiTheDog @zackwhittaker same as calendly emails, and as sharepoint and gmail shared document links before them, etc etc etc repeat ad nauseum.

Here's a calendly one from today that M365 mail filtering decided needed to be delivered to my inbox.

Had to zoom out so that you can actually see the calendly footer, because calendly /also/ lets people insert a load of whitespace to try to hide their footer "below the fold"

Link Preview Image
]]>https://board.circlewithadot.net/post/https://thx.gg/users/interpipes/statuses/116607317034331798https://board.circlewithadot.net/post/https://thx.gg/users/interpipes/statuses/116607317034331798Wed, 20 May 2026 14:14:13 GMT<![CDATA[Reply to ❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. on Wed, 20 May 2026 08:15:33 GMT]]>@GossiTheDog @zackwhittaker thanks for sharing 🙏

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/spamhaus/statuses/116605906707133641https://board.circlewithadot.net/post/https://infosec.exchange/users/spamhaus/statuses/116605906707133641Wed, 20 May 2026 08:15:33 GMT<![CDATA[Reply to ❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. on Tue, 19 May 2026 16:04:50 GMT]]>@spamhaus yeah this has been going on for a while, and Microsoft has done seemingly nothing to combat the issue.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/InfosecFemthing/statuses/116602089644478413https://board.circlewithadot.net/post/https://infosec.exchange/users/InfosecFemthing/statuses/116602089644478413Tue, 19 May 2026 16:04:50 GMT<![CDATA[Reply to ❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. on Tue, 19 May 2026 12:58:47 GMT]]>@spamhaus @zackwhittaker yep that one has been going on for months. It's this: https://abnormal.ai/blog/system-notification-abuse-microsoft-phishing

Entra ID tenant branding. I've been trying to get Microsoft to do something about it for most of the year.

]]>https://board.circlewithadot.net/post/https://cyberplace.social/users/GossiTheDog/statuses/116601358089649843https://board.circlewithadot.net/post/https://cyberplace.social/users/GossiTheDog/statuses/116601358089649843Tue, 19 May 2026 12:58:47 GMT