Scammers are abusing an internal Microsoft account to send spam links

Original Article ↗ Hacker News Discussion ↗

How the abuse works and similar patterns

  • The abused domain is microsoftonline.com; one comment suggests it’s likely a “notification” or “send alert” feature that lets users control recipients and message bodies, effectively allowing arbitrary email from a trusted domain.
  • Similar abuse is reported with PayPal, Meta, Booking.com, Google Groups, and others:
    • PayPal: scammers send legitimate money requests and embed scam text (including fake support numbers) in a freeform “reason” field that looks as official as the real template.
    • Meta business tools: official emails from [email protected] can contain large attacker-controlled blocks, making it hard to distinguish template vs. scam text.
    • Booking: phishing messages appear to come “from the hotel” via Booking’s own domain and DM system.
  • General pattern: platforms expose freeform text in highly trusted system emails, which scammers then use to piggyback on the platform’s legitimacy.

Microsoft’s domain sprawl and trust problems

  • Many commenters find microsoftonline.com and Microsoft’s overall domain strategy confusing; some doubt even Microsoft has a complete internal list.
  • Discussion notes hundreds of Microsoft-owned domains, including obscure ones; people are surprised by both the number and the lack of clear public signaling.
  • Some say microsoft.com is controlled by marketing, so many “real” services moved onto other domains; newer domains like cloud.microsoft add to complexity.
  • Concerns that users are told to “check the domain” but vendors don’t provide a canonical, signed list of official sending domains.

Proposed fixes and constraints

  • Multiple suggestions:
    • Restrict email to clear subdomains of a core domain (e.g., *.microsoft.com) or a small, well-documented set.
    • Publish an authoritative, signed list of email-sending domains; keep unreleased products off the list until launch.
  • Some argue a complete internal list may be organizationally or policy-wise “not allowed,” though others counter that treating domain existence as sensitive is itself a red flag.

Broader ecosystem & user experiences

  • Many reports of bank, hotel, and phone scams; debate over whether banks should ever call customers and how to authenticate outbound calls.
  • Complaints about Microsoft security UX:
    • Authenticator prompts with no matching sign-in history.
    • Default passwordless flows that rely solely on email + app prompt.
    • Account lockouts triggered by repeated failed logins by attackers.
  • Frustration with big providers (Microsoft, Google) allegedly ignoring abuse reports or making abuse channels ineffective.
  • Overall sentiment: large vendors’ messy domain and notification designs meaningfully undermine user ability to spot scams.