Scammers have been exploiting a loophole to send spam emails from an internal Microsoft email address, [email protected], which is normally used to send legitimate account alerts to users [1, 2].
The abusive activity has been ongoing for several months, targeting Microsoft users with fraud-themed messages that include subjects about unauthorized transactions or private messages. These emails contain links to fraudulent websites designed to scam recipients [1, 2].
The spam emails were notably reported during the week of May 18-21, 2026, when multiple users across different accounts received messages from this internal Microsoft address containing scam links [1].
On May 19, 2026, the anti-spam nonprofit Spamhaus publicly highlighted the issue and notified Microsoft about the ongoing abuse of its notification email account. Spamhaus criticized automated notification systems, stating that they "should not allow this level of customization," implying that the system’s flexibility is enabling scammers to spoof or hijack these messages [1].
Microsoft has since been informed but has not yet taken public action to stop or comment on the misuse of its official email address for spam purposes [1, 2].
Similar email scams have been reported recently targeting other companies such as investment platform Betterment and domain registrar Namecheap, indicating a wider trend of abusing internal notification accounts at major tech and finance firms [1, 2].
Security experts warn users to be cautious of messages purporting to be from internal Microsoft accounts, especially those that urge clicking on links related to transactions or private communications.
No updates have been provided on when Microsoft will fix the loophole or officially address the issue, leaving the compromised email account vulnerable to future abuse.
The situation remains active with no announced resolution date as of now [1, 2].
