A significant security loophole is allowing malicious actors to send fraudulent emails using an official Microsoft domain. The attackers are leveraging an internal email address, typically reserved for legitimate account alerts and security notifications, to bypass spam filters and deceive recipients. By masquerading as official communications from the tech giant, these messages appear highly credible to unsuspecting users.

The emails are being dispatched from the address msonlineservicesteam@microsoftonline.com, a sender typically associated with critical account updates like two-factor authentication codes. The phishing attempts often feature subject lines mimicking urgent security alerts regarding fraudulent transactions or notifications of private messages, directing users to malicious external websites. Security researchers have noted that this activity has been ongoing for several months, highlighting a failure in the automated notification systems that allow for such high levels of customization.

While the exact method used to exploit this system remains under investigation, the incident underscores a growing trend of attackers compromising corporate communication channels to conduct phishing campaigns. Similar tactics have been observed at other major firms, including Namecheap and Betterment, where attackers gained unauthorized access to official notification platforms to facilitate credential theft and financial scams. Microsoft has acknowledged the reports but has yet to provide a timeline for a permanent resolution to the vulnerability.