How Scammers Send Phishing Emails From a Real Microsoft Address

In effect, the attacker injects a phishing message into a real Microsoft notification template.

Evasion Tricks Used in the Campaign

Researchers have observed several tactics used to make the messages more convincing and harder for filters to detect.

• Subject-line hijacking – Attackers pack long scam messages into branding fields so the fraudulent text dominates the subject line or preview text.
• Character substitutions – Look‑alike characters and homoglyphs can evade keyword detection systems.
• Phone-number obfuscation – Numbers may be written with letters or unusual characters to bypass automated spam filters.

These tricks help the emails survive automated scanning while still conveying the scam message to humans.

Why the Emails Look Legitimate

The most dangerous aspect of this campaign is that the messages are not simply spoofed.

Because Microsoft’s own systems generate and send the notifications, the emails can pass standard authentication checks such as SPF, DKIM, and DMARC, which many mail systems rely on to verify senders.

Recipients also see a familiar Microsoft sender address associated with account security alerts, which increases trust even if the message content is suspicious.

This combination—trusted sender infrastructure plus injected scam text—makes the emails far more convincing than typical phishing attempts.

What Researchers and Spam-Fighting Groups Reported

Investigations by journalists and security researchers indicate the abuse has been active for months.

Reports describe:

• Multiple phishing emails sent from the Microsoft notification address across different inboxes.
• Scam themes including fake purchase alerts, billing problems, and urgent support requests.
• Large numbers of disposable Microsoft 365 tenants being used and discarded in a "burn‑and‑churn" pattern.

Anti‑spam researchers have criticized the level of customization allowed in automated notification workflows, warning that trusted platform infrastructure can be turned into a phishing delivery channel if safeguards are weak.

Importantly, reporting has noted that Microsoft had not publicly confirmed the exact technical root cause at the time these incidents were documented.

How to Tell if a Microsoft Email Is Suspicious

Because the sender address can be legitimate, users should rely on context and behavior rather than the “From” field alone.

Warning signs include:

• Unexpected purchase or fraud alerts you did not initiate
• Messages urging you to call a phone number immediately
• Requests to click links or resolve urgent billing issues
• Verification codes for actions you never requested

Even a real Microsoft email address does not guarantee the message content is trustworthy.

How to Protect Yourself

If you receive a suspicious Microsoft notification email:

• Do not click links or call numbers provided in the message.
• Open Microsoft services manually by typing the official website into your browser.
• Check your account activity directly from your account dashboard.
• Report the message as phishing in your email client or to your organization’s security team.
• If you interacted with the message, change your Microsoft password and review sign‑in activity.

This incident highlights a growing trend in cybercrime: attackers increasingly exploit trusted platforms and legitimate infrastructure instead of relying solely on fake domains. When a real service delivers the phishing message, traditional trust signals are no longer enough to keep users safe.