Your two-factor authentication codes and security alerts come from trusted Microsoft addresses—which makes this breach particularly dangerous. For several months, scammers have exploited a loophole letting them send spam and phishing links from [email protected], the legitimate address Microsoft uses for critical account notifications.
The Trust Hack
Attackers are weaponizing Microsoft’s own notification system against users.
The compromised address normally delivers your 2FA codes and security alerts—the emails you’re trained to trust without question. According to TechCrunch reporting from May 2026, scammers appear to create Microsoft accounts “as new customers” then manipulate the notification system to send messages that look official but contain obvious scam content and suspicious links.
These emails bypass traditional spam filters because they originate from legitimate Microsoft infrastructure, carrying all the technical authentication marks of genuine notifications. The result is sophisticated social engineering that exploits the very trust Microsoft has worked to build around its security communications.
Pattern Recognition
This attack reflects a broader trend of criminals abusing trusted cloud platforms.
The Spamhaus Project, an anti-spam nonprofit, flagged this abuse months ago and criticized Microsoft’s notification system for allowing “this level of customization.” Similar infrastructure hijacking hit fintech firm Betterment earlier this year, where hackers sent fraudulent crypto investment pitches through the company’s legitimate messaging platform.
Security researchers have documented related campaigns abusing Microsoft’s Direct Send feature and billing notifications, turning authentic Microsoft emails into phishing vehicles by inserting malicious content into customizable fields. This represents a fundamental shift where attackers no longer need to spoof trusted addresses—they simply exploit them directly.
Microsoft’s Silence
The company acknowledged the issue but hasn’t provided details about fixes or timeline.
Despite being contacted by multiple security organizations and journalists, Microsoft has offered only minimal acknowledgment without explaining the underlying vulnerability or confirming that it’s been resolved. This opacity is particularly concerning given that the same notification address handles genuinely critical security functions.
Meanwhile, security vendors report seeing increased abuse of Microsoft 365 infrastructure for internal-looking phishing campaigns that exploit misconfigured email routing and weak authentication policies.
Your Defense Strategy
Even trusted senders can’t be trusted blindly anymore.
- Start by scrutinizing any Microsoft email containing poor grammar, unexpected offers, or “private message” claims—even from legitimate addresses
- Before entering credentials anywhere, verify the URL ends in
microsoft.comor your organization’s domain - When suspicious emails arrive claiming urgent action, navigate manually to your Microsoft account security page instead of clicking embedded links
The uncomfortable reality: you now need to verify what used to be automatically trustworthy. This breach illustrates how attackers increasingly exploit the infrastructure we’re taught to trust. Until platforms like Microsoft implement stricter controls over notification customization, your skepticism becomes the primary defense against your own security system.
