{"id":53493,"date":"2025-05-26T12:08:20","date_gmt":"2025-05-26T16:08:20","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53493"},"modified":"2025-05-26T12:08:20","modified_gmt":"2025-05-26T16:08:20","slug":"microsoft-365-purchase-email-scam","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/microsoft-365-purchase-email-scam\/53493\/","title":{"rendered":"Scammers exploiting Microsoft business notifications to launch attacks"},"content":{"rendered":"

For an email attack to succeed, the first thing cybercriminals need to do is get their messages in front of potential victims. In a recent post<\/a>, we covered how scammers leveraged notifications from GetShared \u2014 a fully legitimate service for sharing large files. Today, we examine another method for delivering malicious emails. The operators behind this scam have learned to insert custom text into genuine thank-you messages sent by Microsoft 365 to its new business subscribers.<\/p>\n

A genuine Microsoft email with a nasty surprise inside<\/h2>\n

The attack kicks off with a legitimate email in which Microsoft thanks the recipient for purchasing a Microsoft 365 Apps for Business<\/a> subscription. The email does, in fact, arrive from the Redmond tech giant\u2019s legitimate address: microsoft-noreply@microsoft.com. One would be hard-pressed to imagine an email address with a more trusted reputation, so the message easily gets past any email server filters.<\/p>\n

One more time, just so we\u2019re clear: this is an honest-to-goodness email from Microsoft. The contents match a typical purchase confirmation. In the screenshot below, the company thanks the recipient for buying 55 Microsoft 365 Apps for Business subscriptions worth a total of $587.95.<\/p>\n

\"Scam<\/a>

Example of a Microsoft business notification where attackers inserted their message in the Billing information section<\/p><\/div>\n

The crux of the scam lies in the text attackers add to the Billing information section. Typically, this section contains the subscriber company\u2019s name and the billing address. However, the scammers swap out that information for their own phone number, plus a note encouraging the recipient to call \u201cMicrosoft\u201d if they need any assistance. The types of \u201cpurchased\u201d subscriptions suggest that the scammers are targeting company employees.<\/p>\n

They prey on a common employee fear: making an expensive, unnecessary purchase could cause trouble at work. And since resolving the issue by email isn\u2019t an option (the message comes from a no-reply address), the victim is left with little choice but to call the phone number provided.<\/p>\n

Who answers the calls, and what happens next?<\/h2>\n

If the victim takes the bait and decides to call to inquire about the subscriptions they\u2019ve supposedly purchased, the scammers deploy social engineering<\/a> tricks.<\/p>\n

A Reddit user, who\u2019d received a similar email and called the number, shared their experience<\/a>. According to the victim, the person who answered the call insisted on installing some support software, and sent an EXE file. The subsequent conversation suggests that the file contained a RAT<\/a> of some kind.<\/p>\n

The victim didn\u2019t suspect anything was amiss until the scammer promised to refund money to their bank account. That was a red flag, as they shouldn\u2019t have had access to the victim\u2019s banking details. The scammer went on to ask the victim to sign in to their online banking to check if the transaction had gone through.<\/p>\n

The victim believes that the software installed on their computer was malware that would have allowed the attackers to intercept their login credentials. Fortunately, they recognized the danger early enough and hung up. Within the same thread, other Reddit users reported similar emails<\/a> containing various contact details.<\/p>\n

How scammers send phishing emails from a genuine Microsoft address<\/h2>\n

How, exactly, the attackers manage to send Microsoft notifications to their victims is still something of a mystery. The most plausible explanation<\/a> came from another Reddit user, who suggested that the scam operators were using stolen credentials or trial versions to access Microsoft 365. By using BCC or simply entering the victim\u2019s email address when purchasing a subscription, they can send messages like the one shown in the screenshot above.<\/p>\n

An alternative theory is that the scammers gain access to an account with an active Microsoft 365 subscription and then use the billing-information resend feature \u2014 specifying the target user as the recipient.<\/p>\n

Whichever is true, the attackers\u2019 goal is to replace the billing information \u2014 the only part of the Microsoft notification they can alter \u2014 with their own phone number.<\/p>\n

How to protect yourself against such attacks<\/h2>\n

Malicious actors keep finding new loopholes in well-known, perfectly legitimate services to use for phishing campaigns and scams. That\u2019s why, to keep an organization secure, you need not only technical protections but also administrative controls. Here\u2019s what we recommend:<\/p>\n