It’s official. [email protected] is no longer safe.
If you’ve gotten a text message with a weird link recently, or an email subject line that looks just a bit too urgent, check the sender. If it says that address—bingo. It’s Microsoft. It’s real. And that’s the problem.
Scammers aren’t spoofing the domain. They’re weaponizing the actual system.
The Trust Exploit
We are taught to check sender addresses. If it’s @microsoft.com, it must be legitimate, we think. Not anymore.
Attackers have figured out a clever, low-tech way to hijack the notification engine. They don’t need to break into Microsoft’s servers. They just need to rent one.
Here is the play, detailed by cybersecurity firm Abnormal:
- The bad actor spins up a disposable Microsoft 36 account.
- They go into the Tenant Branding settings (specifically in Microsoft Entra ID).
- They change the “Name” field of that tenant to the scam message itself. A fake financial alert. A phishing prompt. Whatever catches your eye.
- They trigger an automated action that forces Microsoft to send an email to the victim. Often this involves asking to add the victim’s email to the account.
Because Microsoft’s system is sending the notification, it uses the legitimate [email protected] address.
The email content? Minimal.
No malicious attachments. No creepy hyperlinks leading to a fake login page. Just a subject line and maybe a bit of body text. The text? That’s the “Name” field the attacker edited earlier. It sits in the header or body as raw data from a trusted source.
The core exploit lies in the configuration within Microsoft Entra ID.
Your spam filters look at the sender. They see Microsoft. They let it slide. There are no malware signatures to trip over. The email is technically clean, even though the intent is malicious.
How long has this been going on?
For a while.
You might have noticed people on Twitter complaining about this lately, but Abnormal wrote about this tactic back in January. Bad actors love efficiency. If one method works, thousands will copy it. And this method? It bypasses the most expensive security layers because it relies on trust.
Why would your email provider block an email that comes straight from a Microsoft tenant verification process? It shouldn’t. Until it should.
Microsoft has not released a public statement or fix for this specific branding abuse yet, according to reports.
So you’re on your own.
What do you do now?
Ignore the sender address.
Look at the context. Did you ask Microsoft to change your tenant name? Probably not. Does the subject line look like a generic notification, or does it contain a specific demand?
“The attacker navigates to Tenant Properties…”
That sounds boring. That sounds like IT paperwork. But that boring paperwork is the weapon.
Keep your eyes open. If an email arrives from that address and you were expecting nothing, pause. Check the URL in your browser address bar, not the email links. Delete the suspicious bits.
The internet isn’t secure anymore. It’s just convenient.
Be careful out there.
