Scammers Are Using Microsoft's Own Email Address to Scam You in 2026

16 June 2026

You check your inbox. You see an email from msonlineservicesteam@microsoftonline.com. It looks official. It passes every spam filter. It lands directly in your inbox — not your junk folder. You assume it's real. You click.

That is exactly what scammers in 2026 are counting on.

This is not your grandfather's phishing email with broken English and fake logos. This is a sophisticated, next-level scam where criminals have found a loophole inside Microsoft's own systems — and they are using it to send fraudulent emails from a genuine Microsoft email address. The result? Millions of users are being deceived by emails that are, in every technical sense, coming directly from Microsoft.

Here is the full story.

What Happened: The Scam That Broke the Rules

For months leading up to May 2026, cybersecurity researchers began noticing something deeply unusual. Spam emails promoting scam websites and fraudulent offers were arriving in inboxes worldwide — but they were not coming from fake or spoofed addresses. They were being sent from msonlineservicesteam@microsoftonline.com, the same email address Microsoft uses for real, critical account notifications like two-factor authentication codes and login alerts.

The entire story came to the public eye on the 21st of May 2026. TechCrunch Security Editor Zack Whittaker reported that he personally received numerous similar emails from different email accounts, all of which came via this confirmed Microsoft address. These subject line messages were created to resemble genuine Microsoft security alerts - warning of fraudulent transactions, or saying that an encrypted message was in the queue. The emails included hyperlinks to fraudulent websites.

This was not a case of someone faking a Microsoft address. The emails were genuinely originating from within Microsoft's own notification infrastructure.

How Did Scammers Pull This Off?

The core of how Microsoft tech scams us in this case is almost embarrassingly simple — though its consequences are serious.

Scammers discovered they could register new Microsoft accounts as if they were regular customers. Once inside the system, they exploited a flaw in how Microsoft's automated notification service handles outbound messaging. The notification system — designed to keep customization flexible for legitimate users — was not built with sufficient guardrails to prevent bad actors from injecting scam content and sending it out through the official channel.

In other words, they signed up, found a backdoor in the email system, and started sending. Because the emails originated from a legitimate Microsoft server, they passed all standard security checks — SPF, DKIM, and DMARC authentication protocols that email providers use to detect fakes. Every technical green flag was lit.

Anti-spam non-profit The Spamhaus Project confirmed they had been tracking this abuse for several months before it went public. In a social media post, Spamhaus noted the activity dated back "several months". They stated plainly: "Automated notification systems should not allow this level of customization." They added that they had already notified Microsoft about the problem.

Microsoft's Response: Silence at a Critical Moment

When TechCrunch reached out to Microsoft for comment, a spokesperson acknowledged the inquiry — but provided no statement, no explanation, and no confirmation that the loophole had been closed.

As of May 21, 2026, Microsoft had not publicly addressed the exploit or stated whether it had taken action to stop the abuse.

This silence is significant. Microsoft's own notification address — trusted by hundreds of millions of users worldwide — was being weaponized against those very users, and the company had not yet shut it down.

This is part of a broader pattern of how Microsoft Windows support scams us: not always through brute-force hacking, but through exploiting the deep trust users place in Microsoft's brand, systems and communications.

Why This Scam Is Especially Dangerous

Most email scams are relatively easy to spot if you know what to look for — a mismatched sender domain, poor grammar, a suspicious-looking link. This scam strips away almost all the usual warning signs.

Here is what made it so effective:

  • The sender address was 100% real. No spoofing, no typos, no lookalike domains.
  • The emails passed all security filters. Gmail, Outlook, and corporate mail servers all let them through.
  • The format mimicked genuine Microsoft alerts. Subject lines referenced account security and transactions — exactly what a real Microsoft email might say.
  • There was no way for an average user to know. Even experienced tech users were caught off guard.

This represents a new evolution in how Microsoft tech scams us — moving beyond fake pop-ups and impersonation calls to exploiting the company's own infrastructure as a delivery weapon.

You Are Not the Only Target

While this particular scam was targeted at individual Microsoft account holders, TechCrunch noted that other users of social media were reporting similar incidents on other email addresses as well, suggesting an overall trend of scammers uncovering notification system loopholes in the technology business.

It's not the only incident. In the year 2026, hackers hacked into a fintech platform firm, Betterment and sent fake crypto scam alerts to its customers. In 2023, the Namecheap email account was also hijacked to send fake emails and steal user passwords.

The pattern is clear: scammers are no longer just knocking on the front door with fake emails. They are finding side doors inside legitimate company systems and walking straight in.

How to Protect Yourself Right Now

Even when an email comes from what looks like — or technically is — a real Microsoft address, here is how to stay safe:

  1. Never click links in unexpected emails. Even if the sender looks legitimate, go directly to microsoft.com in your browser instead of clicking any link in the email.
  2. Check what the email is actually asking you to do. Microsoft will never ask you to click a link to claim a prize, send money or call a support number via email.
  3. Look at the content, not just the sender. Scam emails often have vague or alarming subject lines, poor formatting, or links that lead to non-Microsoft websites.
  4. Enable two-factor authentication — but never share your code. A one-time code is for you only. No Microsoft employee or support agent will ever ask you to read it to them.
  5. Report suspicious emails. Forward them to phishing@microsoft.com or report via your email provider's built-in tools.
  6. Keep your antivirus software updated. Even if you accidentally click a link, good security software can block the scam page before damage is done.

The Bigger Picture: Trust Is the New Attack Surface

The 2026 Microsoft real email scam represents a turning point in cybercrime. For years, the advice was simple: check the sender's address. Now, that advice alone is not enough.

When scammers can operate from inside a company's own mailing infrastructure, the traditional rules of detecting fraud break down. The burden of protection shifts — not just to individuals staying alert, but to tech giants like Microsoft building systems that cannot be so easily abused.

Until Microsoft closes this loophole completely and publicly confirms it, every user who relies on Microsoft products — Windows, Outlook, Microsoft 365 — needs to treat every email with an extra layer of skepticism, even those that look perfectly genuine.

That is exactly how Microsoft Windows support scams us in 2026: not with obvious lies, but with our own trust turned against us.

References

  1. Zack Whittaker, "Scammers are abusing an internal Microsoft account to send spam links", TechCrunch, May 21, 2026. → https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/
  2. The Spamhaus Project, Social post on Infosec.Exchange, May 2026 →  https://infosec.exchange/@spamhaus/116601270466207765
  3. Microsoft Support, "Protect yourself from tech support scams" https://support.microsoft.com/en-us/windows/protect-yourself-from-tech-support-scams
  4. Microsoft Support, "Avoid and report Microsoft technical support scams" https://support.microsoft.com/en-us/security/avoid-and-report-microsoft-technical-support-scams
  5. Lorenzo Franceschi-Bicchierai, "Fintech firm Betterment confirms data breach after hackers send fake crypto scam notification", TechCrunch, January 2026. → https://techcrunch.com/2026/01/12/fintech-firm-betterment-confirms-data-breach-after-hackers-send-fake-crypto-scam-notification-to-users/ 

Frequently Asked Questions (FAQs) -

Q. Did Microsoft itself send those scam emails? 

A. No. Microsoft's email infrastructure was exploited by outside scammers who found a loophole in the notification system. Microsoft did not knowingly send scam emails, but the emails did originate from a real Microsoft address due to the vulnerability.

Q. How do I know if an email from Microsoft is real or a scam? 

A. Check what it asks you to do. Real Microsoft emails never ask you to click suspicious links, call a phone number, share a one-time code, or send payment. When in doubt, go directly to microsoft.com in your browser rather than clicking any link.

Q. Is the loophole fixed now? 

A. As of May 21, 2026, Microsoft had not publicly confirmed that the loophole was closed. It is advisable to remain cautious with all unsolicited emails, even those from Microsoft addresses.

Q. Can my antivirus software protect me from this kind of scam?

A. A good antivirus program can block the scam landing pages and malicious links even if you click them. However, it cannot prevent the emails from arriving. Your best protection is vigilance — do not click links in unexpected emails.

Q. Has Microsoft been hacked? 

A. Not in the traditional sense. Scammers did not "hack" Microsoft's servers. They exploited a design flaw in how the notification system allows customization, essentially tricking the system into delivering their content through an official channel.

Q. What should I do if I already clicked a link in one of these emails?

A. Immediately run a full antivirus scan, change your Microsoft account password, enable two-factor authentication if not already active and check your account's recent activity for anything suspicious. If financial information was entered, contact your bank right away.

Q. Are other companies affected by similar scams? 

A. Yes. Reports from social media users and cybersecurity researchers suggest other tech companies' notification systems have been similarly abused. This appears to be an industry-wide vulnerability, not limited to Microsoft alone.

Subscribe Newsletter