Scammers are abusing an internal Microsoft account to send spam links (opens in new tab)

(techcrunch.com)

300 pointsspike0211d ago176 comments

176 comments

Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.

But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.

Abishek_Muthian1d ago

Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.

Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.

nolok1d ago

In France, basically every bank say (show in their app and everything) "if we call you and ask anything like code, confirmation, to do an action, anything, end the call and call us back, don't do anything on a call you didn't initiate".

Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"

spicymaki23h ago

Here is a fun one, my mobile phone company has an account lock along with a pin and OTP over SMS system. In order for me to activate a new device (like an phone upgrade) with eSIM over the phone, I need to unlock my account with account lock, give them the pin over the phone, and read the SMS OTP to the mobile phone rep online. I get doing the account unlock and verbal pin, but I don't get why they ask for the OTP especially when they train us to never share the OTP over the phone. I even asked the rep about it, but he mentioned that you should never share the OTP if you did not initiate the service request. From a security posture point of view I think that stinks. I am not exactly sure how they expect SMS OTP to work in the case where my phone is not functional.

benhurmarcel18h ago

And then we have the national post office sending its notifications from the scammiest-looking domain they could find: noreply@notif-colissimo-laposte.info

dawnerd12h ago

Unfortunately in the US, maybe elsewhere, pharmacies and medical offices have trained the elderly it’s okay to verify their dob when they call. Costco does that when they call and it drives me nuts.

hunter2_1d ago

Knowing what numbers are real through an official publication is very good, but it only allows you to place trust in calls you make, not calls you receive, because making calls doesn't involve caller ID, receiving calls does, and caller ID is spoofable.

4ndrewl1d ago

That's the number one rule though. If someone calls you claiming to be your bank, just say "I'll call you back"

4 more replies

bdavbdav1d ago

That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers

1 more reply

amarant23h ago

Oh man that brings back memories!

"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"

it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.

ghoul21d ago

Recently, banks where also asked to put their official websites/netbanking on *.bank.in domains. I have wanted that for SO long.

trollied1d ago

My bank has a feature whereby it'll tell you promoinently in their app if they are currently calling you.

0123456789ABCDE1d ago

is it common for banks to call you?

always though the agreement was: we don't call you, you call us. we'll send letters though.

qingcharles1d ago

Bluesky is even worse, some of their emails come from "moderation@blueskyweb.xyz".

They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

chuckadams1d ago

Hard to beat Outlook 2007 which had some "smart tags" feature that all referenced "5iantlavalamp.com", and things started breaking when that domain expired.

RadiozRadioz1d ago

I'm struggling to find information about this and it's extremely interesting.

Would you please explain more?

1 more reply

chuckadams17h ago

Ah I misremembered one thing, nothing broke because it wasn’t even an existing domain when they used it. That was a different Microsoft domain I was thinking of.

varun_ch1d ago

I simultaneously don’t believe this and fully believe this is something they would do. Do you have any sources on this?

1 more reply

wizzwizz41d ago

This story is ludicrous… yet, it seems to check out. https://spamassassin.apache.org/full/3.0.x/dist/rules/25_uri... says this is one of the "Top 125 domains whitelisted by SURBL", and there's an answer on the hyphen site about it: https://www.experts-exchange.com/questions/22812691/What-is-.... Can someone with a Bottom-Surgery account tell us the details?

1 more reply

donkyrf1d ago

Microsoft is the 4th largest company in the world.

There should be a long list of companies whose policies are worse than theirs.

vitally36431d ago

That doesn't follow. I would expect the list of companies worst than Microsoft to be about 4 items long

jquery1d ago

At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?

lostlogin1d ago

‘We built it 30 years ago, it’s sort of compatible with everything and we will never deprecate.’

It’s not a good excuse…

vasco1d ago

Sending your id to a social media IS a scam.

hvb21d ago

By email... Just to add insult to injury

fragmede1d ago

What definition of the word scam are you using here? What promise of a product that you pay for that isn't being delivered, with uploading your id to a site on the Internet?

1 more reply

crimsonnoodle5817h ago

> Microsoft's domain story is such a mess

You mean like how they moved from a perfectly legible and rememberable domain like office.com to the strange vanity domain m365.cloud.microsoft?

WarOnPrivacy1d ago

> Who even can be sure microsoftonline.com is legit.

Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.

aftbit22h ago

Not only that, but they wrap the links in their email with click tracking provided by domains that have nothing to do with them (Mailgun or whatever). So even if you try to introspect the links you're clicking, they seem to go to a scammy domain even if they're legit!

warumdarum1d ago

Remember those indian microsoft support centers and that strange correlation of you being called by a indian microsoft scammer the next day after you called there. Not implying causation.. just..

T-A1d ago

https://github.com/HotCakeX/MicrosoftDomains

...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:

https://whois.domaintools.com/microsoftonline.com

balakk1d ago

It's definitely a Microsoft owned domain and actively used - for example in Azure Active Directory (Entra).

HDBaseT16h ago

1drv.ms always catches me out.

e401d ago

I did not expect 645 entries!! That is insane.

KomoD1d ago

microsoftonline.com is in that list.

T-A23h ago

You're right. I wonder how I managed to miss it. For a moment I thought I must have looked at

https://github.com/HotCakeX/MicrosoftDomains/blob/main/Micro...

but that one doesn't contain any microsoftonline.

cuteboy191d ago

but microsoftgenuinerewardsrc.com is! shameful!

inetknght1d ago

> unable publish a list with all domains they officially use to send mail

That's because people report them as spam, so they hop domains to avoid that.

hnlmorg1d ago

For a company with as much weight in the industry as Microsoft, it would be trivial to ensure their domains don’t end up on spam lists. Heck, because of outlook.com, they control have the spam lists themselves.

The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.

I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises

hirsin23h ago

Microsoft.com is also owned by the marketing org, not the engineering org, for various reasons that predate the existence of many employees at Microsoft now.

This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).

The new cloud.microsoft domain for Office will possibly help, but it's still a heck of a long list - https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...

And IIRC this is just for office and windows, not azure.

saghm1d ago

Okay, so then they should stop doing stuff like trying to push people to log into Windows with Microsoft accounts instead of offline credentials and then using that as an excuse to send out inane marketing emails that no one wants. "We're doing something shitty as a workaround for the consequences of other shitty things we do" isn't a particularly good reason for not acting so shitty.

gwbas1c1d ago

Seems like it would make sense to only use subdomains of microsoft.com?

ntoskrnl_exe1d ago

I got used to that one, but the other day I was checking Outlook in the web browser and I ended up on outlook.cloud.microsoft, I couldn't believe my eyes.

apimade1d ago

Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.

It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.

10000truths1d ago

> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.

antiframe1d ago

Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.

1 more reply

butvacuum11h ago

the domain that ever m365 tennant exists on? that microsoftonline.com?

cess111d ago

This was a common issue when I consulted with bankruptcy lawyers and had to figure out what domain assets the company had. Commonly the representatives only knew about some of the domains and we found at least a few more.

Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.

lostlogin1d ago

Having a service crap out because someone didn’t pay for the domain is almost a trope. It never occurred to me that the reverse might happen - paying for unused domains.

doubled1121d ago

We pay for a bunch of old domains because nobody in the org can definitively say we never used it and/or don’t use it anymore.

Easier to just keep paying.

1 more reply

SoKamil1d ago

> Who even can be sure microsoftonline.com is legit

Spam filters.

saghm1d ago

I'm either impressed by whatever spam filter you having literally zero false positives or negatives, or I'm confused about what you think it means to "be sure".

consp1d ago

I have plenty of false negatives, mostly due to companies in know I get a mail from using spamlike html mails, I always verify on the phone it is the mail they send to be sure but it happens way too often.

EGreg1d ago

“So Microsoft’s domain story is a total mess?”

“Always has been.”

https://www.techmonitor.ai/technology/microsoft_forget_to_re...

dminik1d ago

On a semi-related note, Microsoft security is genuinely terrible.

For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.

Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.

Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.

xboxnolifes1d ago

Microsoft also has this cool thing where if someone fails to get into your account too many times, your account can get locked and you are asked to reset your password. For a working password.

Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.

flexagoon1d ago

Their enterprise account system (active directory or whatever it's called) also has an awesome bug where if you accidentally reload the page during password reset, the link will no longer be valid, but your old password will already be invalidated. So you won't be able to log in at all untill IT staff manually changes your password.

stanac1d ago

> The default sign in flow with the app enabled is email + authenticator. No password required

Isn't this only if browser have some cookie from previous session or IP didn't change?

Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.

eterm1d ago

I've been getting this too, authenticator prompts saying "logged in" and asking for confirmation, but no history whatsoever when I went to security to check.

It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.

I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.

e401d ago

Is that because it’s two digits?

eterm1d ago

No, because the default is to present you 3 numbers and asks you which your number is!

1 in 3 and easy to hit by mistake.

2 more replies

alargemoose1d ago

I also had this starting a few months back. I changed the email address (really, just an alias to the same mailbox as before) and the notifications stopped.

greatgib1d ago

It is the same company that want to stop SMS 2fa to force you to use their shitty authenticator app.

Numerlor1d ago

SMS 2FA is the worst factor because of how insecure and phishable the phone network is, it deserves to die out where possible

e401d ago

But they could allow other 2fa apps, but they force their shitty one.

bsoles1d ago

My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.

epistasis1d ago

A keming attack in the wild...

CSMastermind22h ago

This happens all the time, it's a classic phishing tactic.

hashstring16h ago

Yes, the Outlook sender font is such a joke. They preach about 365 security but don’t practice basics.

spike021OP1d ago

A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.

I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.

kay_o1d ago

I have not seen one of these that wasn't a compromised hotel email or booking account. I have had to "help" a hotel get malware/RATs off their system more than a dozen times as a _guest_

r1ch1d ago

I've started to assume that any non-chain hotel is compromised after losing $2k to hackers that completely owned the hotel's email system. Thankfully DMARC made it irrefutable that it was their system at fault and they assumed liability. BEC is shockingly common and difficult to detect until it's too late.

kay_o19h ago

Not just BEC, at multiple non-chains I have found keyloggers, card stealers and everything in between. I refuse to use anything but apple pay on an actual payment terminal (or a 3P booker that passes on a virtual card) and no ID scans or copies.

drdec1d ago

I feel sad that what I think of as the obvious solution, companies using subdomains like internal.microsoft.com instead of making a million different domains, is so far from happening that no one here on HN has even brought it up.

kro1d ago

You are correct.

Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de

It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.

dpkirchner1d ago

Hell, they have .microsoft. Why'd they bother?

binaryturtle1d ago

I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.

Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."

Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?

currysausage21h ago

Yeah, I fell into that rabbit hole once. Tried all abuse channels that I could find. network-abuse@ refers you to the Google Cloud abuse form. They ‘are not able to take action on this report since the IP mentioned in the report is not hosted on Google Cloud.’ Gmail abuse doesn’t even bother to reply (why should they, it’s not about Gmail after all). In the end, I just blocked DKIM identifiers related to Firebase via Rspamd.

alex_suzuki1d ago

You can try: https://support.google.com/mail/contact/abuse?hl=en

I submitted an account that sent phishing emails last week, but I’m told it’s basically a black hole and to not expect anything anything to happen.

binaryturtle1d ago

It's not gmail accounts, but "services" (?) hosted on Google's cloud. Basically I see X.X.X.X.bc.googleusercontent.com addresses in the "Received" header fields, e.g. "22.185.141.34.bc.googleusercontent.com"

When doing a WHOIS on that IP we'll get a contact address for abuse reports: "google-cloud-compliance@google.com", but sending anything there, returns an error that the user doesn't exists.

koliber12h ago

I own a domain and have a catch all email. I routinely get emails from Microsoft and Google's official email addresses telling me that some account will be closed, or some other account notifications. I never created these accounts, and when I try to log into them or do a password reset, it does not go anywhere. It's been a minor mystery why I keep getting these emails for a while.

The Microsoft emails are coming from microsoft-noreply@microsoft.com so it's a bit different than in this article.

r1ch1d ago

Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.

Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.

enkrs1d ago

I've been receiving these for so long I started thinking it must be just me being targeted and not widespread, as Meta seems to not do anything about it.

Emails comming legitimeley from noreply@business.facebook.com with the text below. Go and decypher which part is Meta template and which is creative use of user supplied text...

  Your Meta's Page may be at risk due to unusual
  activity is not part of or affiliated with
  Meta. Only approve requests and invitations from
  people and businesses that you know and trust.
  Meta will never ask for passwords, payment
  information or personal details in an email. You've
  received a partner request. Partners are other
  businesses that you work with on Facebook. Partner
  sharing lets you give access to your business assets,
  but not to your business portfolio. This request is
  from:

  Your Page is under restriction review Contact Meta
  Support: metafanpageviolate@gmail.com Protect yourself
  from fraud: Verify the identity of the requester by
  contacting the business using official contact information.

perseusai1h ago

Classic MS. Even their email service becomes Clippy!

wnevets1d ago

Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.

redwall_hp1d ago

The ones I've seen from PayPal are basically from sending a large request for money to you, then in the freeform text field for the reason, putting fake "if you believe this is a scam, call [actually a scam number]" text.

casty1d ago

I can confirm. Interestingly they actually put a random USDC transaction number from Coinbase which was very close (close enough that I thought it was accurate) of a transaction I actually did on Coinbase at one point. I was so confused so I ended up calling the number but immediately realized once they picked up what was going on. Essentially they got really lucky that my actual transaction amount was close enough to seem plausible.

This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.

duskwuff1d ago

> This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items.

This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.

Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".

diego_sandoval1d ago

PayPal itself is a scam.

HDBaseT16h ago

How so?

kro1d ago

I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template

okandship1d ago

big vendors asking users to inspect domains while spreading mail across unclear domains is part of the problem. publishing a signed, boring source of truth for official sending domains would help defenders a lot.

zer0tonin1d ago

I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...

nippoo1d ago

I mean, it happened to the FBI... https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-...

razakel1d ago

>The FBI is aware of a software misconfiguration

That's not a misconfiguration, that's incompetence.

How do these people get hired?

lachiflippi1d ago

That's actually really easy:

1. be government agency

2. pay 30-70% less than private sector companies would for a similar position

3. receive applicants that are 30-70% less competent

Bonus:

- have 30+ year old systems nobody understands anymore because the team behind them has been dead/retired for a decade

- have hiring process handled entirely by out of touch suits

- have a revolving door of motivated soon-to-be burnouts mopping up the mess behind the aforementioned regular employees

aftbit23h ago

I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.

ismaelyws21h ago

Damn. And this completely bypasses any anti-spoofing protection.

nipperkinfeet21h ago

This is a long-standing issue that has persisted for years.

sylware3h ago

microsoft IPv4 ranges are filthy of "stretchoid' scanners and script kiddies. Usually, it is better to ban all ms IPv4 ranges.

(IPv6 is currently safe... for now...)

ChrisArchitect1d ago

https://abnormal.ai/blog/system-notification-abuse-microsoft...

MichaelZuo1d ago

How does it work when a genuine microsoft domain is spending out spam?

Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?

lelandbatey1d ago

The domain is Microsoftonline.com

Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.

zbengrac21d ago

shocking..

avazhi1d ago

Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.

Imagine this is some truly errant copilot instance truly embracing its slop destiny.

lol

yard20101d ago

Did anyone there try to ask ChatGPT to come up with a solution?

j / k navigate · click thread line to collapse

176 comments

weinzierl1d ago

But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.

Abishek_Muthian1d ago

Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.

nolok1d ago

spicymaki23h ago

benhurmarcel18h ago

And then we have the national post office sending its notifications from the scammiest-looking domain they could find: noreply@notif-colissimo-laposte.info

dawnerd12h ago

hunter2_1d ago

4ndrewl1d ago

That's the number one rule though. If someone calls you claiming to be your bank, just say "I'll call you back"

4 more replies

bdavbdav1d ago

That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers

1 more reply

amarant23h ago

Oh man that brings back memories!

"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"

it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.

ghoul21d ago

Recently, banks where also asked to put their official websites/netbanking on *.bank.in domains. I have wanted that for SO long.

trollied1d ago

My bank has a feature whereby it'll tell you promoinently in their app if they are currently calling you.

0123456789ABCDE1d ago

is it common for banks to call you?

always though the agreement was: we don't call you, you call us. we'll send letters though.

qingcharles1d ago

Bluesky is even worse, some of their emails come from "moderation@blueskyweb.xyz".

They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

chuckadams1d ago

Hard to beat Outlook 2007 which had some "smart tags" feature that all referenced "5iantlavalamp.com", and things started breaking when that domain expired.

RadiozRadioz1d ago

I'm struggling to find information about this and it's extremely interesting.

Would you please explain more?

1 more reply

chuckadams17h ago

Ah I misremembered one thing, nothing broke because it wasn’t even an existing domain when they used it. That was a different Microsoft domain I was thinking of.

varun_ch1d ago

I simultaneously don’t believe this and fully believe this is something they would do. Do you have any sources on this?

1 more reply

wizzwizz41d ago

1 more reply

donkyrf1d ago

Microsoft is the 4th largest company in the world.

There should be a long list of companies whose policies are worse than theirs.

vitally36431d ago

That doesn't follow. I would expect the list of companies worst than Microsoft to be about 4 items long

jquery1d ago

At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?

lostlogin1d ago

‘We built it 30 years ago, it’s sort of compatible with everything and we will never deprecate.’

It’s not a good excuse…

vasco1d ago

Sending your id to a social media IS a scam.

hvb21d ago

By email... Just to add insult to injury

fragmede1d ago

What definition of the word scam are you using here? What promise of a product that you pay for that isn't being delivered, with uploading your id to a site on the Internet?

1 more reply

crimsonnoodle5817h ago

> Microsoft's domain story is such a mess

You mean like how they moved from a perfectly legible and rememberable domain like office.com to the strange vanity domain m365.cloud.microsoft?

WarOnPrivacy1d ago

> Who even can be sure microsoftonline.com is legit.

Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.

aftbit22h ago

warumdarum1d ago

Remember those indian microsoft support centers and that strange correlation of you being called by a indian microsoft scammer the next day after you called there. Not implying causation.. just..

T-A1d ago

https://github.com/HotCakeX/MicrosoftDomains

...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:

https://whois.domaintools.com/microsoftonline.com

balakk1d ago

It's definitely a Microsoft owned domain and actively used - for example in Azure Active Directory (Entra).

HDBaseT16h ago

1drv.ms always catches me out.

e401d ago

I did not expect 645 entries!! That is insane.

KomoD1d ago

microsoftonline.com is in that list.

T-A23h ago

You're right. I wonder how I managed to miss it. For a moment I thought I must have looked at

https://github.com/HotCakeX/MicrosoftDomains/blob/main/Micro...

but that one doesn't contain any microsoftonline.

cuteboy191d ago

but microsoftgenuinerewardsrc.com is! shameful!

inetknght1d ago

> unable publish a list with all domains they officially use to send mail

That's because people report them as spam, so they hop domains to avoid that.

hnlmorg1d ago

I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises

hirsin23h ago

Microsoft.com is also owned by the marketing org, not the engineering org, for various reasons that predate the existence of many employees at Microsoft now.

This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).

The new cloud.microsoft domain for Office will possibly help, but it's still a heck of a long list - https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...

And IIRC this is just for office and windows, not azure.

saghm1d ago

gwbas1c1d ago

Seems like it would make sense to only use subdomains of microsoft.com?

ntoskrnl_exe1d ago

I got used to that one, but the other day I was checking Outlook in the web browser and I ended up on outlook.cloud.microsoft, I couldn't believe my eyes.

apimade1d ago

It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.

It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.

10000truths1d ago

If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.

antiframe1d ago

Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.

1 more reply

butvacuum11h ago

the domain that ever m365 tennant exists on? that microsoftonline.com?

cess111d ago

lostlogin1d ago

Having a service crap out because someone didn’t pay for the domain is almost a trope. It never occurred to me that the reverse might happen - paying for unused domains.

doubled1121d ago

We pay for a bunch of old domains because nobody in the org can definitively say we never used it and/or don’t use it anymore.

Easier to just keep paying.

1 more reply

SoKamil1d ago

> Who even can be sure microsoftonline.com is legit

Spam filters.

saghm1d ago

I'm either impressed by whatever spam filter you having literally zero false positives or negatives, or I'm confused about what you think it means to "be sure".

consp1d ago

EGreg1d ago

“So Microsoft’s domain story is a total mess?”

“Always has been.”

https://www.techmonitor.ai/technology/microsoft_forget_to_re...

dminik1d ago

On a semi-related note, Microsoft security is genuinely terrible.

For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.

Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.

xboxnolifes1d ago

Microsoft also has this cool thing where if someone fails to get into your account too many times, your account can get locked and you are asked to reset your password. For a working password.

Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.

flexagoon1d ago

stanac1d ago

> The default sign in flow with the app enabled is email + authenticator. No password required

Isn't this only if browser have some cookie from previous session or IP didn't change?

Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.

eterm1d ago

I've been getting this too, authenticator prompts saying "logged in" and asking for confirmation, but no history whatsoever when I went to security to check.

It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.

I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.

e401d ago

Is that because it’s two digits?

eterm1d ago

No, because the default is to present you 3 numbers and asks you which your number is!

1 in 3 and easy to hit by mistake.

2 more replies

alargemoose1d ago

I also had this starting a few months back. I changed the email address (really, just an alias to the same mailbox as before) and the notifications stopped.

greatgib1d ago

It is the same company that want to stop SMS 2fa to force you to use their shitty authenticator app.

Numerlor1d ago

SMS 2FA is the worst factor because of how insecure and phishable the phone network is, it deserves to die out where possible

e401d ago

But they could allow other 2fa apps, but they force their shitty one.

bsoles1d ago

My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.

epistasis1d ago

A keming attack in the wild...

CSMastermind22h ago

This happens all the time, it's a classic phishing tactic.

hashstring16h ago

Yes, the Outlook sender font is such a joke. They preach about 365 security but don’t practice basics.

spike021OP1d ago

I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.

kay_o1d ago

I have not seen one of these that wasn't a compromised hotel email or booking account. I have had to "help" a hotel get malware/RATs off their system more than a dozen times as a _guest_

r1ch1d ago

kay_o19h ago

drdec1d ago

kro1d ago

You are correct.

Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de

It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.

dpkirchner1d ago

Hell, they have .microsoft. Why'd they bother?

binaryturtle1d ago

I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.

Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."

Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?

currysausage21h ago

alex_suzuki1d ago

You can try: https://support.google.com/mail/contact/abuse?hl=en

I submitted an account that sent phishing emails last week, but I’m told it’s basically a black hole and to not expect anything anything to happen.

binaryturtle1d ago

When doing a WHOIS on that IP we'll get a contact address for abuse reports: "google-cloud-compliance@google.com", but sending anything there, returns an error that the user doesn't exists.

koliber12h ago

The Microsoft emails are coming from microsoft-noreply@microsoft.com so it's a bit different than in this article.

r1ch1d ago

Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.

Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.

enkrs1d ago

I've been receiving these for so long I started thinking it must be just me being targeted and not widespread, as Meta seems to not do anything about it.

Emails comming legitimeley from noreply@business.facebook.com with the text below. Go and decypher which part is Meta template and which is creative use of user supplied text...

  Your Meta's Page may be at risk due to unusual
  activity is not part of or affiliated with
  Meta. Only approve requests and invitations from
  people and businesses that you know and trust.
  Meta will never ask for passwords, payment
  information or personal details in an email. You've
  received a partner request. Partners are other
  businesses that you work with on Facebook. Partner
  sharing lets you give access to your business assets,
  but not to your business portfolio. This request is
  from:

  Your Page is under restriction review Contact Meta
  Support: metafanpageviolate@gmail.com Protect yourself
  from fraud: Verify the identity of the requester by
  contacting the business using official contact information.

perseusai1h ago

Classic MS. Even their email service becomes Clippy!

wnevets1d ago

Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.

redwall_hp1d ago

casty1d ago

This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.

duskwuff1d ago

> This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items.

This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.

diego_sandoval1d ago

PayPal itself is a scam.

HDBaseT16h ago

How so?

kro1d ago

okandship1d ago

zer0tonin1d ago

I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...

nippoo1d ago

I mean, it happened to the FBI... https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-...

razakel1d ago

>The FBI is aware of a software misconfiguration

That's not a misconfiguration, that's incompetence.

How do these people get hired?

lachiflippi1d ago

That's actually really easy:

1. be government agency

2. pay 30-70% less than private sector companies would for a similar position

3. receive applicants that are 30-70% less competent

Bonus:

- have 30+ year old systems nobody understands anymore because the team behind them has been dead/retired for a decade

- have hiring process handled entirely by out of touch suits

- have a revolving door of motivated soon-to-be burnouts mopping up the mess behind the aforementioned regular employees

aftbit23h ago

I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.

ismaelyws21h ago

Damn. And this completely bypasses any anti-spoofing protection.

nipperkinfeet21h ago

This is a long-standing issue that has persisted for years.

sylware3h ago

microsoft IPv4 ranges are filthy of "stretchoid' scanners and script kiddies. Usually, it is better to ban all ms IPv4 ranges.

(IPv6 is currently safe... for now...)

ChrisArchitect1d ago

https://abnormal.ai/blog/system-notification-abuse-microsoft...

MichaelZuo1d ago

How does it work when a genuine microsoft domain is spending out spam?

Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?

lelandbatey1d ago

The domain is Microsoftonline.com

zbengrac21d ago

shocking..

avazhi1d ago

Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.

Imagine this is some truly errant copilot instance truly embracing its slop destiny.

lol

yard20101d ago

Did anyone there try to ask ChatGPT to come up with a solution?

j / k navigate · click thread line to collapse