Microsoft is facing fresh scrutiny after scammers misused one of its official email addresses to send phishing emails with fake alerts and malicious links. The incident has raised questions over how major tech firms monitor their automated communication systems and why such misuse continued for months without a public fix.

Official Microsoft Address Used for Phishing Mails

Several users, including cybersecurity researchers and journalists, recently received suspicious emails sent from a Microsoft address, msonlineservicesteam@microsoftonline.com. The address is commonly linked to account notifications and security warnings from Microsoft, which made the messages appear genuine at first glance.

The emails carried alarming subject lines and pushed users to click on unknown links. Some of the emails claimed there were fraudulent transactions connected to user accounts. Others informed recipients about a private message waiting online. The content inside many of these emails appeared poorly written. Still, the sender address added a layer of trust that phishing campaigns usually struggle to achieve.

Spam Filters Failed to Stop Misuse of Microsoft System

Cybersecurity experts say the misuse highlights a dangerous gap in automated email systems used by large platforms. They argue that trusted domains should never allow customization features that can be manipulated for spam activity.

Anti-spam organization The Spamhaus Project said the activity had been active for months. In a social media statement, the group criticized how notification systems were configured and confirmed that Microsoft had already been informed of the loophole. Microsoft acknowledged media queries on the matter earlier this week. The company has not revealed how the misuse started.

Can Users Still Trust Official Platforms?

The incident adds to a larger pattern in which attackers are increasingly exploiting trusted corporate systems to run scams. Earlier this year, hackers reportedly abused a platform linked to the fintech firm Betterment to spread fraudulent cryptocurrency schemes. In 2023, attackers also gained access to a Namecheap-linked email account and used it to launch phishing campaigns targeting login credentials.

The bigger concern now is not only the phishing mails themselves. The real issue lies in how long such vulnerabilities can stay within systems owned by major technology companies. Trust is always the backbone of digital communication, and once official platforms start to appear unreliable, users become easier targets for scams that closely resemble genuine alerts.

Also Read: Microsoft Plans Overhaul After Windows 11 GPU Downgrade Complaints