Scammers have reportedly been abusing a loophole that lets them send spam emails from an internal Microsoft email address normally used for legitimate account alerts.
The emails were sent from [email protected], an address Microsoft uses for important notifications such as two-factor authentication codes and other account-related alerts. Because the messages appear to come from Microsoft itself, they could easily trick users into believing they are real.
According to TechCrunch, the scammers appear to be creating new Microsoft accounts in a way that allows them to send customized emails through Microsoft’s notification system. The exact method being used is still unclear, but the issue has reportedly been active for months.

Several of the scam emails carried subject lines that looked similar to official warnings about suspicious transactions. Others claimed the recipient had a private message waiting for them and included links to suspicious websites in the email body.





