Tuesday, July 14, 2026
Tuesday, July 14, 2026
Home NewsMicrosoft’s Own Address Is Being Used Against Its Users – and Nobody Has Fixed It

Microsoft’s Own Address Is Being Used Against Its Users – and Nobody Has Fixed It

by Owen Radner
A+A-
Reset

For months, scammers have exploited a loophole allowing them to send phishing emails from msonlineservicesteam@microsoftonline.com – the same address Microsoft uses for genuine two-factor authentication codes and critical account alerts. Security researcher Zack Whittaker reported the vulnerability on May 21, 2026. The mechanism requires no domain spoofing: it uses Microsoft’s own servers, passes standard authentication checks, and as of Thursday afternoon Microsoft had not confirmed a fix.

The attack path: scammers create new Microsoft accounts as ordinary customers, and that account-creation access somehow lets them send emails originating from the verified Microsoft domain. Standard enterprise spam filters whitelist msonlineservicesteam@microsoftonline.com as a baseline trust assumption, so messages pass without inspection. Whittaker received multiple similarly structured emails last week across different accounts, each pointing to external scam sites, each from the same verified address. YourNewsClub flags this as a category-one trust exploit – systemic abuse of infrastructure that users have been conditioned to treat as safe.

The precise mechanism remains opaque; Whittaker acknowledged the specifics are still unclear. What is documented: the loophole has been active for months at scale large enough for multiple independent users to notice and report it. The heuristic that users trained themselves to follow – verify the sender address before trusting a message – has been turned against them. The sender address in this case is the legitimate one.

Maya Renn, who examines ethics of computation and access to power through technology, frames it as an access problem: “The loophole sits inside a trust relationship that millions of people have built up over years. Exploiting that trust is a different kind of harm than exploiting a software bug. It does not respect the execution-versus-language distinction.”

This fits a broader pattern. Earlier in 2026, hackers broke into a platform used by fintech firm Betterment to push fraudulent crypto notifications. In 2023, Namecheap’s email infrastructure faced a similar hijack for credential phishing. The FBI recorded more than $16.6 billion in reported online fraud losses in 2024 alone. The common thread: attackers borrow the real infrastructure instead of building fakes. YourNewsClub monitors this category of trusted-infrastructure abuse as a distinct threat class – harder to defend against because standard filters have no basis to question a verified sender.

Owen Radner, who studies digital infrastructure as energy-information transport systems, draws a structural conclusion: “When product and infrastructure collapse into the same address space – when the email for a two-factor code arrives from the same domain as a scam – the product-layer trust guarantee becomes meaningless. The fix has to happen at the infrastructure layer. Patching the product surface without addressing the account-creation vector just moves the problem.”

The practical impact falls hardest on enterprise security teams. Organisations that rely on msonlineservicesteam@microsoftonline.com for security-critical workflows – password resets, MFA codes, account change notifications – now operate with ambient doubt that cannot be resolved by the standard instruction to check the sender address. That instruction fails here. YourNewsClub reads the absence of a public Microsoft acknowledgement, as of Thursday afternoon, as the most operationally significant gap in the story.

The broader question: how does account-creation access at a platform of Microsoft’s scale translate into legitimate-domain email sending without triggering automated abuse detection? That answer remains unclear. What is clear is that the loophole has been active long enough to generate volume that multiple independent users noticed. Your News Club identifies the account-creation permission boundary as the logical starting point for remediation – restricting what newly created accounts can do in terms of outbound email until the vector is closed.

What to watch: whether Microsoft issues a public security advisory, whether it restricts outbound email from newly created accounts, and whether enterprise administrators receive interim detection guidance. Microsoft’s commercial email infrastructure touches more than 400 million active commercial seats globally – a delayed public response is operationally costly for every security team waiting. The company’s response timeline and the appearance of secondary reports confirming the exploit’s scope will remain critical variables to track.

You may also like