35 comments

[ 4.6 ms ] story [ 57.7 ms ] thread
How does it work when a genuine microsoft domain is spending out spam?

Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?

Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.
A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.

I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.

Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.

But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.

> Microsoft's domain story is such a mess

You mean like how they moved from a perfectly legible and rememberable domain like office.com to the strange vanity domain m365.cloud.microsoft?

the domain that ever m365 tennant exists on? that microsoftonline.com?
Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.

Imagine this is some truly errant copilot instance truly embracing its slop destiny.

lol

I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.

Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."

Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?

Did anyone there try to ask ChatGPT to come up with a solution?
On a semi-related note, Microsoft security is genuinely terrible.

For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.

Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.

Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.

Agreed; and more generally, Microsoft's online services in general are terrible. Their login system is a mess, their UX is awful... our company is a microsoft partner but there's like 27 different ways to be one, with a bunch of different accounts, forms and systems for it. Azure UX is atrocious. And this nonsense spills into every single enterprise product they offer too (how many people complain about Teams?).

Here in Belgium, 80% of enterprise accounts use MS over Google and I genuinely don't get why. (Without getting into the fiasco of not really having an EU alternative to either of those)

Yes it is completely broken. Everyone should disable microsoft authenticator and uninstall it. It is a massive vector.
You have to create a new @outlook email to use as a username only you know, and then remove your actual email as a sign-in option. Only way to mitigate the MFA spam currently.
big vendors asking users to inspect domains while spreading mail across unclear domains is part of the problem. publishing a signed, boring source of truth for official sending domains would help defenders a lot.
I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...
Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.

Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.

I feel sad that what I think of as the obvious solution, companies using subdomains like internal.microsoft.com instead of making a million different domains, is so far from happening that no one here on HN has even brought it up.
I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.
Yes, the Outlook sender font is such a joke. They preach about 365 security but don’t practice basics.
(comment deleted)
I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.
Damn. And this completely bypasses any anti-spoofing protection.
This is a long-standing issue that has persisted for years.
I own a domain and have a catch all email. I routinely get emails from Microsoft and Google's official email addresses telling me that some account will be closed, or some other account notifications. I never created these accounts, and when I try to log into them or do a password reset, it does not go anywhere. It's been a minor mystery why I keep getting these emails for a while.

The Microsoft emails are coming from microsoft-noreply@microsoft.com so it's a bit different than in this article.