Scammers have exploited a loophole that lets them send bulk emails from Microsoft’s own notification address. By creating new Microsoft accounts and routing mail through [email protected], they masquerade as the company and push links to fraudulent sites. The scheme has been active for months, targeting users with alerts about two‑factor codes and account changes daily.

Spamhaus, the anti‑spam nonprofit, traced the abuse back several months and warned that notification systems should not permit such customization. Microsoft has acknowledged the issue and said it is strengthening detection, blocking malicious accounts and removing violators. The company’s statement came after a TechCrunch inquiry to protect its customers from phishing attacks today and future.

This incident follows recent breaches where attackers hijacked fintech and domain‑registration platforms to send deceptive notifications. Users report similar phishing attempts using other corporate mailboxes, suggesting the problem spans multiple vendors. The pattern underscores the need for tighter controls on automated outbound email and real‑time abuse detection to prevent massive financial losses across industries today.

Microsoft’s response indicates a shift toward proactive mitigation. By removing compromised accounts and reinforcing its detection pipeline, the company aims to safeguard users from spoofed notifications. The episode highlights how attackers exploit legitimate communication channels, reminding defenders that even trusted internal addresses can become vectors for phishing and credential‑stealing attacks across global networks today and future.