Scammers are abusing an internal Microsoft account to send spam links

诈骗者正滥用微软内部账户发送垃圾邮件链接

For months, scammers have been taking advantage of a loophole that allows them to send spammy emails from an internal Microsoft email address typically used for sending legitimate account alerts. It’s not clear how the scammers are abusing the system, but they have been able to set up new Microsoft accounts as if they are new customers and use that access to send out emails purportedly from the tech giant, potentially tricking people into thinking these emails are genuine. Microsoft doesn’t yet appear to have gotten a handle on the issue.

几个月来，诈骗者一直在利用一个漏洞，通过微软的一个内部电子邮件地址发送垃圾邮件，而该地址通常用于发送合法的账户提醒。目前尚不清楚诈骗者是如何滥用该系统的，但他们能够像新客户一样注册新的微软账户，并利用这些权限发送据称来自这家科技巨头的电子邮件，从而诱导用户误以为这些邮件是真实的。微软目前似乎尚未完全解决这一问题。

Last week, I received several, similarly structured emails containing subject lines and web links to scammy sites from Microsoft across different email accounts. These crudely made emails were sent from msonlineservicesteam@microsoftonline.com, an email account that Microsoft uses to send important notifications to users, such as two-factor authentication codes and other critical alerts about their online account. Some of these emails’ subject lines resembled official emails that would alert users to fraudulent transactions, while other emails claimed to have a private message waiting for the recipient at a web address mentioned in the email body.

上周，我在不同的电子邮箱中收到了几封结构相似的邮件，邮件主题和链接都指向微软名义下的诈骗网站。这些制作粗糙的邮件均来自 msonlineservicesteam@microsoftonline.com，这是微软用于向用户发送重要通知（如双重身份验证码及其他账户关键提醒）的官方邮箱。其中一些邮件的主题模仿了提醒用户注意欺诈交易的官方邮件，而另一些则声称在邮件正文提到的网址中有一条私人信息等待接收者查看。

In a social post on Tuesday, anti-spam nonprofit The Spamhaus Project said it had also seen Microsoft’s account notification email address being abused to send spam and that the activity dated back “several months.” “Automated notification systems should not allow this level of customization,” wrote Spamhaus. The nonprofit added that it has notified Microsoft of the issue.

周二，反垃圾邮件非营利组织 The Spamhaus Project 在社交媒体上发文称，他们也观察到微软的账户通知邮箱被滥用于发送垃圾邮件，且此类活动已持续“数月之久”。Spamhaus 写道：“自动化通知系统不应允许这种程度的自定义。”该组织补充说，他们已经将此问题通知了微软。

When contacted by TechCrunch earlier this week, Microsoft acknowledged our inquiry but did not comment by press time. In a statement provided after publication by Emelia Katon, representing Microsoft via a third-party public relations agency, the company said: “We are actively investigating and taking action against these phishing reports to help keep customers protected. This includes further strengthening our detection and blocking mechanisms, while removing accounts that violate our Terms of Use.”

本周早些时候，TechCrunch 联系了微软，微软确认收到了我们的询问，但在截稿前未予置评。在文章发布后，代表微软的第三方公关机构发言人 Emelia Katon 提供了一份声明，称：“我们正在积极调查并针对这些网络钓鱼报告采取行动，以保护客户安全。这包括进一步加强我们的检测和拦截机制，同时移除违反我们使用条款的账户。”

This is the latest in a rash of incidents in which hackers or scammers have abused company systems to trick unsuspecting customers in recent months. Earlier this year, hackers broke into a platform used by fintech firm Betterment to send out fraudulent notifications that purported to triple the value of any crypto users send in — a widely known scam used to steal people’s cryptocurrency. Back in 2023, hackers similarly abused access to an email account run by Namecheap to send out phishing emails aimed at stealing people’s credentials. Other users commenting on social media say that other companies’ email addresses are also being used to send out spam, suggesting the issue is not limited to Microsoft.

这是近几个月来黑客或诈骗者滥用公司系统欺骗毫无戒心的客户的一系列事件中的最新一起。今年早些时候，黑客入侵了金融科技公司 Betterment 使用的平台，发送了虚假通知，声称用户发送的任何加密货币价值都将翻三倍——这是一种窃取他人加密货币的常见骗局。早在 2023 年，黑客也曾以类似方式滥用 Namecheap 运营的电子邮件账户，发送旨在窃取用户凭据的网络钓鱼邮件。其他在社交媒体上评论的用户表示，其他公司的电子邮件地址也被用于发送垃圾邮件，这表明该问题并非仅限于微软。