New, by me: Scammers are abusing a legitimate internal Microsoft account (used for sending critical account alerts and MFA codes to users logging in) to send spam and scam emails.
We first saw a flood of these emails last week, but anti-spam project Spamhaus says this has been going on for months.
More: https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam
@zackwhittaker also, anecdotally, most people i've asked have had a legit 2FA email: "We received your request for a single-use code to use with your Microsoft account." sent to them this week relating to their personal account. Something is going on.
@zackwhittaker maybe they need antibiotics
These emails are pretty crude (see below) and can be easy to spot as phishy. But abusing this legitimate Microsoft account typically used for real account notifications means that these emails are landing in users' inboxes and not getting flagged as spam.
Read more: https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/
From last week:
https://mastodon.social/@zackwhittaker/116562360000833298
@zackwhittaker saw this attack vector used in an invoice redirection attack. Bypassed all email filters and landed in victim's inbox
@brianhonan yeah! Microslop strikes again.
@zackwhittaker Perfect timing lol, just finished reading the article. Nuts to me that Microslop has had this on their radar and refuses to do anything about it ...
@zackwhittaker Ooof! This reminds me a lot of Direct Send, which I think might still be enable by default for Exchange Online tenants.
https://www.blackhillsinfosec.com/disabling-m365-direct-send/
@scottwilson turns out a fair number of these companies have similar issues!
Install bonfire.cafe
Get the full app experience
