Microsoft faces a scam-link campaign in its account alert emails this week. The messages travel through a sender that users normally associate with legitimate security notices, turning a real Microsoft alert path into a more trustworthy-looking lure than ordinary spoofed mail.

A familiar sender removes some of the easiest warning signs before a user or mail filter even inspects the message body. Publicly, the channel’s security status remains unclear.

Users and administrators face the same trade-off once a trusted alert path starts carrying malicious links. Blocking the sender outright could also disrupt password resets, sign-in warnings, and other normal recovery mail, which turns a basic phishing defense into a choice between tighter filtering and normal account access.

A scammer was abusing Microsoft’s address msonlineservicesteam@microsoftonline[.]com for spam distribution. Microsoft uses the same sender for Microsoft account alerts, and the activity appears to have run for several months.

In one captured example, the malicious lure was inserted through injection into the Subject while the rest of the message kept normal-looking Microsoft elements. An account name or organization name field may have been used to place that text. Spamhaus, an anti-spam non-profit, criticized that customization path after describing the mechanism: “Automated notification systems should not allow this level of customization.”

Reports also say the same operators were able to send emails from a legitimate Microsoft email address, which meant the scam could arrive through infrastructure that already looks familiar to many recipients.

Messages moving through real Microsoft infrastructure can pass technical email verification checks, which helps explain how trusted Microsoft notifications inside phishing chains can reach users with fewer obvious red flags. Familiar branding, familiar layout, and normal-looking delivery cues can all work in the attacker’s favor before the recipient studies the link.

Administrators can’t simply block Microsoft’s legitimate account notification emails because the same path still carries password resets, login warnings, and other legitimate notices. Separate-channel checks can reduce the chance of a bad click, but they also add friction to routine account recovery and security workflows.