There’s a rash of scam spam coming from a real Microsoft address
- Thread starter JournalBot
- Start date
Not to mention the Google Calendar Invite-riding spam messages. God I hate those. Those + gmail addresses are the majority of spam that gets through these days...
Last edited:
Upvote
68
(68
/
0)
t_negative1
Ars Centurion
Microsoft has a lot of loose ends in software.
PowerBi is very powerful, but it needs to be locked
down correctly to avoid abuse.
PowerBi is very powerful, but it needs to be locked
down correctly to avoid abuse.
Upvote
30
(30
/
0)
Why would Microsoft bother with this? Whenever they need to spam customers, they simply do it through the Start menu.
Upvote
122
(122
/
0)
Honestly, I think just using Microsoft's reputation truthfully makes a scam harder to spot. The only reason to think this is fake is that it's not pushing Copilot.
Upvote
90
(91
/
-1)
You'd think that reporting this to Microsoft would have an impact.
In order to send reports to external email addresses (outside of your organization) its required for Power BI to be backed by a premium instance (starting at 5k/mo) or Microsoft Fabric. I would assume there is some paper trail of payment that would be involved in the scammers getting the environment setup so they could do this.
In order to send reports to external email addresses (outside of your organization) its required for Power BI to be backed by a premium instance (starting at 5k/mo) or Microsoft Fabric. I would assume there is some paper trail of payment that would be involved in the scammers getting the environment setup so they could do this.
Upvote
64
(64
/
0)
Reminds me a bit about a onedrive email i got from a known (but compromised) contact. Had a link to a pdf for an “invoice” but I can’t remember what our security team said was in it.
MS knows who published/owns the report, they should include that as the sending email address like they do with sharing onedrive documents.
MS knows who published/owns the report, they should include that as the sending email address like they do with sharing onedrive documents.
Upvote
29
(29
/
0)
I retired 3 weeks ago. The thing I miss? Setting an alarm clock? No. Spending 9 hours a day on a PC? No.
I’d rather have genitalia warts than being referred to another PowerBI. (Yea that’s an exaggeration.)
I’m very happy using 0 MS products.
I’d rather have genitalia warts than being referred to another PowerBI. (Yea that’s an exaggeration.)
I’m very happy using 0 MS products.
Upvote
8
(30
/
-22)
Unlikely. The spammers are probably using a compromised environment and not their own Power BI premium instance. These days, it's probably more than one compromised environment.
The open question is: doesn't Microsoft have some logic in place to flag anomalous Power BI mailouts and third party mail additions?
Upvote
54
(54
/
0)
I'll be that guy: the errors in this message scream that this is a scam.
Billing in the subject is misspelled.
The message is from Microsoft about a Norton subscription.
The grammar is atrocious - let's capitalize each word!
Subscribed by a user/email with zero connection to Microsoft or Norton.
Does this even have a certificate from Microsoft?
Billing in the subject is misspelled.
The message is from Microsoft about a Norton subscription.
The grammar is atrocious - let's capitalize each word!
Subscribed by a user/email with zero connection to Microsoft or Norton.
Does this even have a certificate from Microsoft?
Upvote
22
(31
/
-9)
Those are just minor details. The real giveaway that this is fake is that a person answered the call.
Upvote
115
(115
/
0)
To the author's credit, they did mention at the end of the article that such scams are easy to spot for experienced users.
Upvote
39
(39
/
0)
Upvote
19
(21
/
-2)
- Add bookmark
- Featured
- #17
As the person who sent in this tip to begin with, my real concern is the existence of the attack vector, rather than the particular scam. If this scam operation has the ability to send social engineering scams literally from Microsoft’s domain without spoofing it, that’s pretty concerning regardless of how amateurish a particular attack may be/appear.
Thanks, Dan, for thoroughly and quickly reporting this!
Upvote
123
(123
/
0)
I received one of these scam emails yesterday, and my M365 mailbox had already moved it to Junk Mail, so even Microsoft doesn't think it is legit. Telltale sign for me was the fact that it was from Microsoft, but referenced an order with PayPal, and misspelled "billed". Part of the email:
𝐁𝟏𝐋𝐋𝐄𝐃 𝐔𝐒𝐃 𝟲𝟵𝟵.𝟵𝟵. 𝐈𝐟 𝐮𝐧𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐞𝐝, 𝐜𝐚𝐥𝐥 +𝟭-(unicode numbers)
Invoice Id: 20815107PZIK Dear Customer, Thank you for your order with PayPal. Your order has been successfully placed. The charges will be shown soon in your recent activity. If you did not approve this charge reach :+1 (same phone number, at least consistent)
𝐁𝟏𝐋𝐋𝐄𝐃 𝐔𝐒𝐃 𝟲𝟵𝟵.𝟵𝟵. 𝐈𝐟 𝐮𝐧𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐞𝐝, 𝐜𝐚𝐥𝐥 +𝟭-(unicode numbers)
Invoice Id: 20815107PZIK Dear Customer, Thank you for your order with PayPal. Your order has been successfully placed. The charges will be shown soon in your recent activity. If you did not approve this charge reach :+1 (same phone number, at least consistent)
Upvote
16
(16
/
0)
Yes, I may have a hard time finding other bullshit mixed among the bullshit they send on purpose and won't let me get away from. That "Fuck off" folder is pretty densely packed!
Upvote
15
(16
/
-1)
It's honestly lunacy that MS doesn't at least include the customer tenant in the sender address; but unless there are any very recent changes or services I'm not thinking of; the only one where they actually that is Exchange Online; while sharepoint, powerBI, power automate/flow, etc. can only be coaxed to send a limited number of message types; but will send them from generic addresses.
There's enough phish potential if you get a good/banal tenant name that they should probably leave their own domains entirely out of stuff that you can get them to send on your behalf; but the fact that the generic no-reply @Microsoft or @sharepoint/sharepointonline stuff is madness.
Secure by design, they said. Secure by default, they said.
There's enough phish potential if you get a good/banal tenant name that they should probably leave their own domains entirely out of stuff that you can get them to send on your behalf; but the fact that the generic no-reply @Microsoft or @sharepoint/sharepointonline stuff is madness.
Secure by design, they said. Secure by default, they said.
Upvote
26
(26
/
0)
I received two similar emails about a week ago, sent to my iCloud account, which was subscribed to a PowerBI workflow. Since I don't have any crypto, a "suspicious crypto acquisition attempt" email was a fairly obvious clue that it was spam. Out of curiosity, I've just checked the mail headers, and it is legitimately from a microsoft.com domain.
Upvote
23
(23
/
0)
You're forgetting that you, like most other Ars readers, are the exception, not the rule, when it comes to stuff like this. You don't know a single person with diminished cognition, neurodiversity or other conditions that make them more susceptible than you? Please direct your criticism at the powers making these scams possible, not potential victims.
Upvote
48
(49
/
-1)
Or just tired and stressed.
Also, a tactic that phone-scammers and phishers often use is trying to scare the victim into acting quickly so that the victim does not take their time to read the fine print or consider if something is real or not.
And Microsoft have in recent years by degrading the experience of their user interfaces and communications, such as e.g. using dark patterns themselves and posting fake news on the Start Menu, made the visible difference between the genuine and outright scams more difficult to tell.
Upvote
40
(40
/
0)
Likely they are sending these from compromised corporate instances. And I bet reporting is being handled by AI.
Why can’t the address be totally-a-legit-company@powerbi.com? Microsoft would never allow just anyone to send emails from no-reply@outlook.com or no-reply@microsoft.com
Upvote
16
(16
/
0)
Been getting these since Monday to my work (O365 environment) email account.
Today's ones dropped mention of McAfee. None of them have had any egregious mispellings. Random email address cited is the main clue this is dodgy (and Paypal, cause I don't use that for work). Also a local NZ phone number, and MS referring me to Paypal support line* are weird. Some ugly layout too.
* EDIT: earlier versions, just noticed the later ones as pictured below are a lot better grammar. Their AI is learning.
Old version text:
Today's ones dropped mention of McAfee. None of them have had any egregious mispellings. Random email address cited is the main clue this is dodgy (and Paypal, cause I don't use that for work). Also a local NZ phone number, and MS referring me to Paypal support line* are weird. Some ugly layout too.
* EDIT: earlier versions, just noticed the later ones as pictured below are a lot better grammar. Their AI is learning.
Old version text:
McAfee Received Payment From your PayPal help desk support: +64 3 563-3574
Dear Customer, We have noticed an unauthorized transaction from your PayPal account . If this Transaction was not made by you, please call us +64 3 563-3574 to cancel this order. Otherwise, your $599.99 NZD will be charged today.
Upvote
10
(10
/
0)
Unfortunately, corporate grammar standards have declined while scam standards have improved, reducing the obviousness of the gap.
Upvote
19
(20
/
-1)
I've seen very similar ones to this over the past year, but we got a rash of scarier ones this past week.
It starts with an attacker getting control of someone's email account. In our case is was not one of our business accounts, but a personal email of someone lots of people in the org know. The attacker spams out emails to everyone in their contacts.
The email looks like a typical "please review this document" type, but it links to a legit zoom.us domain.
The zoom page then has a link, which is where it goes to an attacker controlled website.
If a user clicks it, they get a captcha type thing, then a Google login box. If the user were to look at the address bar, they'd see it's not a real google domain, but a lookalike.
The page however, is a live copy of the actual google sign in page. I did some testing and confirmed this is actually going out to Google in the background (attacker relays to actual google site), as my dummy address caused a "couldn't find this account" error until i went and created that account in our Workspace org.
If the user enters their email address, it goes to the next sign in step.
In our case, it goes to our SAML SSO provider, and the user gets the familiar login page they always see, complete with our company logo, since the attacker is showing them a live copy of the legit site. Again the address bar is the give away, if anyone would pay attention.
If the user enters their password, the attacker again relays this to the actual site, and the SSO service then requests whatever MFA type the user has configured.
For most of our users, this is a push to a mobile app on their phones. Since they were logging in, they expect to see this, and they approve it.
This just gave the attacker access to their account, as the MFA push was actually coming from the attackers session. If the user noticed the IP address or city on the push looked wrong, it could have been prevented, but the odds of that are low.
Passkeys and some other MFA types will be immune to this, but lots of other MFA type are vulnerable, like push and authenticator codes. We'd seen articles (including here on Ars last year) about this type of attack, but it's the first time we've seen it in action.
It starts with an attacker getting control of someone's email account. In our case is was not one of our business accounts, but a personal email of someone lots of people in the org know. The attacker spams out emails to everyone in their contacts.
The email looks like a typical "please review this document" type, but it links to a legit zoom.us domain.
The zoom page then has a link, which is where it goes to an attacker controlled website.
If a user clicks it, they get a captcha type thing, then a Google login box. If the user were to look at the address bar, they'd see it's not a real google domain, but a lookalike.
The page however, is a live copy of the actual google sign in page. I did some testing and confirmed this is actually going out to Google in the background (attacker relays to actual google site), as my dummy address caused a "couldn't find this account" error until i went and created that account in our Workspace org.
If the user enters their email address, it goes to the next sign in step.
In our case, it goes to our SAML SSO provider, and the user gets the familiar login page they always see, complete with our company logo, since the attacker is showing them a live copy of the legit site. Again the address bar is the give away, if anyone would pay attention.
If the user enters their password, the attacker again relays this to the actual site, and the SSO service then requests whatever MFA type the user has configured.
For most of our users, this is a push to a mobile app on their phones. Since they were logging in, they expect to see this, and they approve it.
This just gave the attacker access to their account, as the MFA push was actually coming from the attackers session. If the user noticed the IP address or city on the push looked wrong, it could have been prevented, but the odds of that are low.
Passkeys and some other MFA types will be immune to this, but lots of other MFA type are vulnerable, like push and authenticator codes. We'd seen articles (including here on Ars last year) about this type of attack, but it's the first time we've seen it in action.
Upvote
31
(31
/
0)
"Screen into Imbox" at the end is another good one, and a dig at their Artificial Idiocy.
FWIW: Norton is still a thing, and a legit company. But also a go-to when you want to phish with a reputable brand. Peter's company was sold to Symantec in less than a decade, so for three decades I have not trusted the Norton name (sad, b/c Peter is a good guy).
"Trusted"? I have not trusted a Microsoft sender in decades. For a while all their legit emails were bouncing off my school's RDNS fillter (like MS didn't know how to DNS). Then there is the Outlook and Live hoipolloi products.
FWIW: Norton is still a thing, and a legit company. But also a go-to when you want to phish with a reputable brand. Peter's company was sold to Symantec in less than a decade, so for three decades I have not trusted the Norton name (sad, b/c Peter is a good guy).
Upvote
7
(8
/
-1)
I've been getting spam from e-mails ending in "onmicrosoft.com" - and hotmail won't let me block that domain.
Sort yourself out Microsoft!
Sort yourself out Microsoft!
Upvote
7
(7
/
0)
That's on purpose so that scammers don't have to deal with users that can spot scams. It's the same reason Nigerian prince emails are so wonky.
Upvote
21
(23
/
-2)
I saw the errors and they immediately stood out. But last year I also got half way through writing an angry reply to an email about a new 'no disposable bottles in conferences' policy from my university before realizing it was part of their anti phishing campaign. It's a million monkeys, at least one will get you, more if you think you will catch them all.
Upvote
12
(12
/
0)
So PowerBI actually is a free2play and pay2win setup for scammers...
But does Microsoft earning money by effectively selling a weakly protected path to their customer's inboxes to scammers not make them liable for damages?
Upvote
1
(3
/
-2)
Doesnt really matter to me. “This is so-and-so from Microsoft”. “No, you are not.”
Upvote
-9
(0
/
-9)
Congratulations: you managed to identify a scam message displayed inside an article about scams.
Out in the wild, however, it is impossible for people to be 100% on the alert for these things a 100% of the time, as evidenced by a gazillion of "how could I have been so stupid?" quotes from victims.
Upvote
18
(19
/
-1)
RickRoyLeonPrisZhoraRacha
Ars Scholae Palatinae
First- yes I still have a yahoo address.
Noticed a fucktup of Tractor Supply emails in my spam box.
And replies to those were FUCK YOU, FUCK OFF ALREADY. Which means the dumbasses getting spammed maybe using my address as fake, were replying to spam! Which validated their emails! LULZ! And don't reply to them telling them this.
Never reply to a spam or unsolicited email. Mark as junk and move to folder.
Second- if you use Norton, you deserve what you get. Also, Microsoft doesn't email you unless you have Xbox and its selling you shit or your account is going to expire, which if you are a gamer, you would know this when you login to your Xbox!
If you use Microsoft for apps like 365, again, logged in, you will know your account is up for renewal. Ignore their emails.
BONUS!!!
USPS will spam you, legally. Guess what? Moving? Submitting a COA change of address online with their Move URL? OH guess who will get spam-locked? YOU. USPS now is a shitshow with sneaky way of making you think you can do a COA online (you need to go to post office inperson with Photo ID and proof of new address like a Lease or Mortgage, Auto insurance card or DMV registration). And you can't back out once it takes your info BECAUSE next it want to Register your Voting info, it wants to offer you Auto Insurance premiums.
In 7/10s of a second, you are now only able to unsubscribe in 2 weeks!
Love that Maternity clothing deals, RH! Or Fuck OFF Progressive spam! And now Dominos pizza!
(I had a gmail addy that was quiet. Barely a peep in spam. Now, 20 msgs an hour from USPS bullshit). Filters are now on.
Beware USPS now, as its Trump's subterfuge to get voter info and home addresses (likely sharing with everyone, including ICE/DHS).
Noticed a fucktup of Tractor Supply emails in my spam box.
And replies to those were FUCK YOU, FUCK OFF ALREADY. Which means the dumbasses getting spammed maybe using my address as fake, were replying to spam! Which validated their emails! LULZ! And don't reply to them telling them this.
Never reply to a spam or unsolicited email. Mark as junk and move to folder.
Second- if you use Norton, you deserve what you get. Also, Microsoft doesn't email you unless you have Xbox and its selling you shit or your account is going to expire, which if you are a gamer, you would know this when you login to your Xbox!
If you use Microsoft for apps like 365, again, logged in, you will know your account is up for renewal. Ignore their emails.
BONUS!!!
USPS will spam you, legally. Guess what? Moving? Submitting a COA change of address online with their Move URL? OH guess who will get spam-locked? YOU. USPS now is a shitshow with sneaky way of making you think you can do a COA online (you need to go to post office inperson with Photo ID and proof of new address like a Lease or Mortgage, Auto insurance card or DMV registration). And you can't back out once it takes your info BECAUSE next it want to Register your Voting info, it wants to offer you Auto Insurance premiums.
In 7/10s of a second, you are now only able to unsubscribe in 2 weeks!
Love that Maternity clothing deals, RH! Or Fuck OFF Progressive spam! And now Dominos pizza!
(I had a gmail addy that was quiet. Barely a peep in spam. Now, 20 msgs an hour from USPS bullshit). Filters are now on.
Beware USPS now, as its Trump's subterfuge to get voter info and home addresses (likely sharing with everyone, including ICE/DHS).
Upvote
-8
(0
/
-8)
Awhile back, Microsoft blasted an email to every mailbox in our Azure AD pushing Copilot, including to Shared Mailboxes. Microsoft Defender also quarantined the majority of them. Adding to the hilarity, the reason for quarantining would randomly vary between spam and phishing, even though it was the exact same email.
Upvote
6
(6
/
0)
Not sure why this is being upvoted as it is totally incorrect.
If tenant settings allow; external users (Guests) can be "shared" with and/or collaborate on any Power BI reports if they have a Power BI Pro license. If the content is hosted on a Power BI Premium Capacity, internal/external users only need Power BI Free licenses.
Upvote
3
(3
/
0)