Scammers are exploiting a loophole in Microsoft’s email infrastructure to send spam messages that appear to originate from the company’s official account notification system, raising concerns about potential phishing risks for users.

The abuse appears to involve Microsoft’s internal email address, typically used for legitimate account alerts such as two-factor authentication codes and security notifications.

Attackers are reportedly able to create new Microsoft accounts as if they were legitimate customers and use that access to send emails that mimic official communications from the tech giant.

Although the exact method of exploitation remains unclear, the activity allows fraudulent emails to bypass user suspicion by appearing to come directly from Microsoft systems.

Microsoft has yet to publicly confirm a full resolution to the issue.

Reports of the abuse surfaced after users, including technology observers, received multiple similar emails across different accounts.

The messages, sent from [email protected], included suspicious subject lines and embedded links directing recipients to scam websites.

Some emails were designed to resemble security alerts, such as warnings about fraudulent transactions, while others falsely claimed that recipients had private messages waiting for them.

In one instance, multiple such emails were received across different inboxes, suggesting a coordinated spam campaign rather than isolated incidents.

Anti-spam watchdog The Spamhaus Project also confirmed the activity, stating in a social media post on Tuesday that it had observed abuse of Microsoft’s account notification system for spam distribution over several months.

“Automated notification systems should not allow this level of customization,” wrote Spamhaus.

The non-profit said it has alerted Microsoft to the issue.

This is the latest in a series of incidents in which hackers or scammers have exploited company systems to deceive unsuspecting users.