How does it work when a genuine microsoft domain is spending out spam?
Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?
lelandbatey•May 24, 2026
The domain is Microsoftonline.com
Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.
wnevets•May 24, 2026
Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.
redwall_hp•May 24, 2026
The ones I've seen from PayPal are basically from sending a large request for money to you, then in the freeform text field for the reason, putting fake "if you believe this is a scam, call [actually a scam number]" text.
casty•May 24, 2026
I can confirm. Interestingly they actually put a random USDC transaction number from Coinbase which was very close (close enough that I thought it was accurate) of a transaction I actually did on Coinbase at one point. I was so confused so I ended up calling the number but immediately realized once they picked up what was going on. Essentially they got really lucky that my actual transaction amount was close enough to seem plausible.
This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.
duskwuff•May 24, 2026
> This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items.
This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.
Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".
diego_sandoval•May 24, 2026
PayPal itself is a scam.
spike021•May 24, 2026
A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
kay_o•May 24, 2026
I have not seen one of these that wasn't a compromised hotel email or booking account. I have had to "help" a hotel get malware/RATs off their system more than a dozen times as a _guest_
r1ch•May 24, 2026
I've started to assume that any non-chain hotel is compromised after losing $2k to hackers that completely owned the hotel's email system. Thankfully DMARC made it irrefutable that it was their system at fault and they assumed liability. BEC is shockingly common and difficult to detect until it's too late.
weinzierl•May 24, 2026
Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
inetknght•May 24, 2026
> unable publish a list with all domains they officially use to send mail
That's because people report them as spam, so they hop domains to avoid that.
saghm•May 24, 2026
Okay, so then they should stop doing stuff like trying to push people to log into Windows with Microsoft accounts instead of offline credentials and then using that as an excuse to send out inane marketing emails that no one wants. "We're doing something shitty as a workaround for the consequences of other shitty things we do" isn't a particularly good reason for not acting so shitty.
hnlmorg•May 24, 2026
For a company with as much weight in the industry as Microsoft, it would be trivial to ensure their domains don’t end up on spam lists. Heck, because of outlook.com, they control have the spam lists themselves.
The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.
I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises
hirsin•May 24, 2026
Microsoft.com is also owned by the marketing org, not the engineering org, for various reasons that predate the existence of many employees at Microsoft now.
This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).
And IIRC this is just for office and windows, not azure.
apimade•May 24, 2026
Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
10000truths•May 24, 2026
> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
antiframe•May 24, 2026
Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.
seb1204•May 24, 2026
Why would that not be possible?
You can still do that and then once the rabbit is out add it to the main list.
Come on, don't let the good be the enemy of the perfect.
I'm sure there are several ways to find and list all domains.
What bothers me more is that they allowed to have different domains in the first place. Why not sub domains to make it clear.
antiframe•May 24, 2026
That's what I said? Companies can hide domains while they are under development but then they should still maintain a list that they send emails from. I was opposed to legislation that required all registered domains regardless of use being published.
qingcharles•May 24, 2026
Bluesky is even worse, some of their emails come from "moderation@blueskyweb.xyz".
They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:
At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?
lostlogin•May 24, 2026
‘We built it 30 years ago, it’s sort of compatible with everything and we will never deprecate.’
It’s not a good excuse…
vasco•May 24, 2026
Sending your id to a social media IS a scam.
fragmede•May 24, 2026
What definition of the word scam are you using here? What promise of a product that you pay for that isn't being delivered, with uploading your id to a site on the Internet?
vasco•May 24, 2026
I'm not gonna get hoodwinked into highbrow shenanigans. Social media doesn't need IDs to work, demanding it is a scam.
stavros•May 24, 2026
Defining a word isn't "highbrow shenanigans", although I guess it depends on how you define that.
7bit•May 24, 2026
Rhetoric won't save you from the embarrassing situation you created for yourself. You accused something of being a scam without understanding the definition of the word. Now that your claim has been challenged, you're trying to redefine terms and argue around the issue rather than admit you were wrong.
bshacklett•May 24, 2026
From dictionary.cambridge.org:
a dishonest plan for making money or getting an advantage, especially one that involves tricking people:
I can easily see a social media company demanding an ID falling under this definition if the accuser believes that the actual use of said ID will be different or more expansive than implied. That is not an unreasonable assumption, IMO.
hvb2•May 24, 2026
By email... Just to add insult to injury
donkyrf•May 24, 2026
Microsoft is the 4th largest company in the world.
There should be a long list of companies whose policies are worse than theirs.
vitally3643•May 24, 2026
That doesn't follow. I would expect the list of companies worst than Microsoft to be about 4 items long
chuckadams•May 24, 2026
Hard to beat Outlook 2007 which had some "smart tags" feature that all referenced "5iantlavalamp.com", and things started breaking when that domain expired.
varun_ch•May 24, 2026
I simultaneously don’t believe this and fully believe this is something they would do. Do you have any sources on this?
I was working in anti-spam at the time, so I was eyeballing a lot of raw email dumps and writing analysis scripts for "anomalous" urls, so it popped up fairly frequently.
qingcharles•May 24, 2026
The primary problem is we can't search through time via WayBack Machine where a lot of these things have gone. Took me a while the other day to surface the Choco-Banana Shake Hang which Microsoft deleted from their production site.
I'm struggling to find information about this and it's extremely interesting.
Would you please explain more?
chuckadams•May 24, 2026
It's hard to remember many details from almost 20 years ago, I just remember coming across it in email spools while writing anti-spam analysis scripts. Only mention I can find nowadays is https://www.experts-exchange.com/questions/22812691/What-is-....
Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
hunter2_•May 24, 2026
Knowing what numbers are real through an official publication is very good, but it only allows you to place trust in calls you make, not calls you receive, because making calls doesn't involve caller ID, receiving calls does, and caller ID is spoofable.
bdavbdav•May 24, 2026
That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers
Abishek_Muthian•May 24, 2026
Several of the bank scammers had their profile verified as the bank in the Truecaller[1].
Truecaller can tell you about who a phone number belongs to.
Truecaller cannot accurately tell you whether or not the person calling you from a phone number is actually in control of that phone number.
TeMPOraL•May 24, 2026
Won't stop people from trying to make Truecaller, et al. prove that, though.
The problem here is that the correct security posture of the bank against third-party scams also protects the customers from first-party scams. Telling people the bank will never call them for anything, and even if, they're to always hang up and call the number on the back of their card, works equally well against criminals and telemarketers.
l23k4•May 24, 2026
I feel like this is kind-of a solved problem in the jurisdictions where banks are liable for customer losses not arising from gross negligence.
If a bank calls their customers directly and trains them to get phished, the bank does not get to claim gross negligence when this happens and has to refund the customer.
If a bank tells their customers that they'll never call them (and actually doesn't), they have much better chances of claiming gross negligence on the part of the customer.
4ndrewl•May 24, 2026
That's the number one rule though. If someone calls you claiming to be your bank, just say "I'll call you back"
smcin•May 24, 2026
Ask them their name/ last initial, employee ID or unique identifier for the conversation, direct phone number, job title and what location they're based at. Scammers will pretty much always refuse/argue/hang up on this (once I had one start insulting my mother in Hindi when I asked him this). Then call your bank's proper number and verify all of these details.
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
DamonHD•May 24, 2026
Unfortunately my UK banks (and others) DO regularly make calls to me unannounced and demand my ID to 'prove who I am'. They are not scam calls and the callers cannot understand what they are doing wrong. If I'd had more strength in the last round of this stupidity I'd have done a number on them with the regulator. (I used to work in finance and was the director of a regulated financial entity, so I think I'd have a head start.)
Cider9986•May 24, 2026
Yeah and people call crypto a scam.
It mostly is, but Monero is pretty good.
cuteboy19•May 24, 2026
it is time we have a good industry standard for this stuff
lostlogin•May 24, 2026
I dream of a time I don’t have a bank, or not in any traditional sense.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
TeMPOraL•May 24, 2026
> They are not scam calls
What are they, then? Sales/marketing calls? Or some security notifications ("we noticed some suspicious operations in the last 3 days...")? If it's the former, that's still scam in my books. Specifically, it's a first-party scam, as opposed to a third-party scam, where some third party pretends to be your bank.
They both should be treated similarly; unfortunately, you can't report first-party scams to police.
andyclap2•May 24, 2026
In my experience they're security calls. UK has good opt out marketing rules for legit companies.
But the usual security call is exactly like a spam call, no authentication from their end, immediately requesting id verification "answer these security questions", and refusing to go off script.
People have been asking for years to be able to lodge a security challenge code on their profile that can add confidence in the caller. Given there are already multiple security questions on an account, this could be a process change: the security challenge script becomes "the first and sixteenth characters of your mother's maiden name are 7 and F, what are the third and fifth characters of your first pets name".
arthurfm•May 24, 2026
In the UK, banks like Starling, Monzo and Revolut (and building societies such as Nationwide) have added a call status feature in their apps [0][1][2] that tells you if they are actually the ones calling.
Yeah, this is a no brainer (and I think most banks let you verify via the app rather than personal info) to avoid the annoying uncertainty (but note my mother would not be able to handle that I expect)
SoftTalker•May 24, 2026
No "challenge code" your profile can be used to authenticate a caller. Profiles get leaked, almost all of them have been at some point, or at least that's the safe assumption to operate under.
seanhunter•May 24, 2026
Yeah as sibling points out, lots of orgs have scammy official security calls. This leads to a dance I have been through quite often.
<phone rings, I pick up> Hello
Them: Am I speaking to Sean Hunter
Me: Yes
Them: This is <rubbish bank who should know better>. Can you confirm your <date of birth/full address with postcode>
Me: Yes
Them: Err, … sorry I didn’t quite catch that.
Me: Yes.
Them: <thoroughly confused>I asked whether you can confirm your <date of birth/full address with postcode>
Me: Yes. I can.
Them: err… I can’t talk to you without you passing security.
Me: You called me.
Them: I’m sorry…?
Me: You called me. You wanting to talk to me about something is your problem.
Them: I need you to pass security before I can talk to you.
Me: OK, well. Have a nice day. <hang up>
Almost this exact thing has happened multiple times with one of my bank accounts which I can’t completely shut because of boring reasons but I have basically deprecated because they do this sort of nonsense. My main bank now is much better.
Scoundreller•May 24, 2026
One of my banks refused to talk to me over the phone and informed me to go to a branch with 2 pieces of ID. Fair, it was a credit card opened online.
Only to find the 2 pieces of ID were just for them to talk to me and ask for more documents. Rubbish like employment letters (uhhhh, how about YOU call my employer instead of me printing out the “letter” they’ll email me?) or tax return stuff mid-year.
I cut up the credit card and mailed the pieces to their legal department. Someone called me pretty quick and without any authentication hassles.
monkpit•May 24, 2026
Just don’t answer the phone. If it’s something important they know how to reach you, or they can leave a voicemail.
DamonHD•May 24, 2026
This is very much my experience.
I generally say at some point before terminating the call "you should not train your customers to give out account access credentials to strangers" and the caller usually has no clue what I mean. Does no one in the security teams have theory of mind?
This will be the way I bring up the issue with the regulator if I do. I can think of many ways round this issue that would be much safer and not especially arduous.
somewhatgoated•May 24, 2026
That’s wild.
If my bank needs something from me they send an email saying that a message is available in the online portal - or in some cases they send me a physical letter.
Anything else would be highly suspicious
smcin•May 24, 2026
In the US Caller ID has been so hopelessly compromised (for almost two decades now, that's on Congress) that financial institutions almost never make outbound calls, and only ever use standardized published numbers; I wasn't aware other countries differ so much.
Please tell us more context with regard to your UK banks making multiple unannounced calls demanding your ID ... were you an individual customer? finance director? MD? or what? Why on earth do they do that? Have you told them in writing not to? There must be more backstory to that.
DamonHD•May 24, 2026
Banking example: trying to move some savings from one UK bank to another - back to where the money had originally come from, and that had just purchased the first bank too. It took 8h on the phone over a week or so to get the money back, which was interspersed with a comedic number of calls from withheld numbers and people unknown to me demanding enough info to get access to my money. And other very poor practice. The bank even conceeded at least once in writing that it knew that it was screwing up and sent me £100 by way of apology - but carried right on screwing up.
Non-banking: getting a call out of the blue from my Internet Service Provider again demanding enough credentials to get access to my (business) account, and unable to understand why that was very poor practice. I used to like that ISP a lot, and have been with it for a looooooong time, but the angry exchange with who seems to have been my account manager has soured the relationship a lot.
somewhatgoated•May 24, 2026
My bank(s) have never called me and if they did I wouldn’t pick up - it’s definitely not a standard in the EU.
jack1142•May 24, 2026
Nowadays, when banks call you here, they allow you to verify the bank is actually calling you with the mobile app - you can see their name and number they're calling you from in the app. Also, you can often verify you're you with the app too, same as any other app authorization, so you don't have to share any details over the phone. I feel like this is a pretty good improvement.
SoftTalker•May 24, 2026
That does seem better than blind trust but that app infrastructure could get compromised. I would still be wary in any situation where I did not originate the call with the bank.
Hikikomori•May 24, 2026
We have an app called bankid. If my bank calls me they'll ask me to open the app to auth, the app shows that the specific bank initiated auth and also says that they called me.
Same app is used to auth to government pages and all kinds of stuff online, even purchases.
anonzzzies•May 24, 2026
Or, which has worked great for me; just never answer the phone. If people need something they will email or chat. If not then it is not going to be important.
cucumber3732842•May 24, 2026
This. If people have a "real" reason to correspond with you they will have no problem making a record of it via a voicemail or text or email or whatever.
dylan604•May 24, 2026
I've had friends that got into a spot of bother and tried calling from an unknown number. If it's a phone you can't text from, then leaving a voice mail with voice transcription is about the only way I'll know it's a friendly call
trollied•May 24, 2026
My bank has a feature whereby it'll tell you promoinently in their app if they are currently calling you.
ghoul2•May 24, 2026
Recently, banks where also asked to put their official websites/netbanking on *.bank.in domains. I have wanted that for SO long.
nolok•May 24, 2026
In France, basically every bank say (show in their app and everything) "if we call you and ask anything like code, confirmation, to do an action, anything, end the call and call us back, don't do anything on a call you didn't initiate".
Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"
spicymaki•May 24, 2026
Here is a fun one, my mobile phone company has an account lock along with a pin and OTP over SMS system. In order for me to activate a new device (like an phone upgrade) with eSIM over the phone, I need to unlock my account with account lock, give them the pin over the phone, and read the SMS OTP to the mobile phone rep online. I get doing the account unlock and verbal pin, but I don't get why they ask for the OTP especially when they train us to never share the OTP over the phone. I even asked the rep about it, but he mentioned that you should never share the OTP if you did not initiate the service request. From a security posture point of view I think that stinks. I am not exactly sure how they expect SMS OTP to work in the case where my phone is not functional.
0123456789ABCDE•May 24, 2026
is it common for banks to call you?
always though the agreement was: we don't call you, you call us. we'll send letters though.
amarant•May 24, 2026
Oh man that brings back memories!
"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"
it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.
WarOnPrivacy•May 24, 2026
> Who even can be sure microsoftonline.com is legit.
Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.
SoKamil•May 24, 2026
> Who even can be sure microsoftonline.com is legit
Spam filters.
saghm•May 24, 2026
I'm either impressed by whatever spam filter you having literally zero false positives or negatives, or I'm confused about what you think it means to "be sure".
consp•May 24, 2026
I have plenty of false negatives, mostly due to companies in know I get a mail from using spamlike html mails, I always verify on the phone it is the mail they send to be sure but it happens way too often.
cess11•May 24, 2026
This was a common issue when I consulted with bankruptcy lawyers and had to figure out what domain assets the company had. Commonly the representatives only knew about some of the domains and we found at least a few more.
Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.
lostlogin•May 24, 2026
Having a service crap out because someone didn’t pay for the domain is almost a trope. It never occurred to me that the reverse might happen - paying for unused domains.
doubled112•May 24, 2026
We pay for a bunch of old domains because nobody in the org can definitively say we never used it and/or don’t use it anymore.
Easier to just keep paying.
pixl97•May 24, 2026
Not only have you stopped using it, but did any of your customers ever allow list it in the past? Great way to attack customers of some large businesses if you ever see it happen.
...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:
I got used to that one, but the other day I was checking Outlook in the web browser and I ended up on outlook.cloud.microsoft, I couldn't believe my eyes.
warumdarum•May 24, 2026
Remember those indian microsoft support centers and that strange correlation of you being called by a indian microsoft scammer the next day after you called there. Not implying causation.. just..
Seems like it would make sense to only use subdomains of microsoft.com?
aftbit•May 24, 2026
Not only that, but they wrap the links in their email with click tracking provided by domains that have nothing to do with them (Mailgun or whatever). So even if you try to introspect the links you're clicking, they seem to go to a scammy domain even if they're legit!
That's not a misconfiguration, that's incompetence.
How do these people get hired?
lachiflippi•May 24, 2026
That's actually really easy:
1. be government agency
2. pay 30-70% less than private sector companies would for a similar position
3. receive applicants that are 30-70% less competent
Bonus:
- have 30+ year old systems nobody understands anymore because the team behind them has been dead/retired for a decade
- have hiring process handled entirely by out of touch suits
- have a revolving door of motivated soon-to-be burnouts mopping up the mess behind the aforementioned regular employees
avazhi•May 24, 2026
Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.
Imagine this is some truly errant copilot instance truly embracing its slop destiny.
lol
zbengrac2•May 24, 2026
shocking..
binaryturtle•May 24, 2026
I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
I submitted an account that sent phishing emails last week, but I’m told it’s basically a black hole and to not expect anything anything to happen.
binaryturtle•May 24, 2026
It's not gmail accounts, but "services" (?) hosted on Google's cloud. Basically I see X.X.X.X.bc.googleusercontent.com addresses in the "Received" header fields, e.g. "22.185.141.34.bc.googleusercontent.com"
When doing a WHOIS on that IP we'll get a contact address for abuse reports: "google-cloud-compliance@google.com", but sending anything there, returns an error that the user doesn't exists.
currysausage•May 24, 2026
Yeah, I fell into that rabbit hole once. Tried all abuse channels that I could find. network-abuse@ refers you to the Google Cloud abuse form. They ‘are not able to take action on this report since the IP mentioned in the report is not hosted on Google Cloud.’ Gmail abuse doesn’t even bother to reply (why should they, it’s not about Gmail after all). In the end, I just blocked DKIM identifiers related to Firebase via Rspamd.
yard2010•May 24, 2026
Did anyone there try to ask ChatGPT to come up with a solution?
dminik•May 24, 2026
On a semi-related note, Microsoft security is genuinely terrible.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
eterm•May 24, 2026
I've been getting this too, authenticator prompts saying "logged in" and asking for confirmation, but no history whatsoever when I went to security to check.
It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.
I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.
e40•May 24, 2026
Is that because it’s two digits?
eterm•May 24, 2026
No, because the default is to present you 3 numbers and asks you which your number is!
1 in 3 and easy to hit by mistake.
wholinator2•May 24, 2026
Shouldn't there be a button like "i didn't request this" or something? Why would you hit one of the buttons if you know the request is bogus?
eterm•May 24, 2026
You've never hit the wrong button by mistake on a phone touchscreen?
I can only envy your adroitness.
e40•May 24, 2026
That's insane.
stanac•May 24, 2026
> The default sign in flow with the app enabled is email + authenticator. No password required
Isn't this only if browser have some cookie from previous session or IP didn't change?
Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.
greatgib•May 24, 2026
It is the same company that want to stop SMS 2fa to force you to use their shitty authenticator app.
Numerlor•May 24, 2026
SMS 2FA is the worst factor because of how insecure and phishable the phone network is, it deserves to die out where possible
e40•May 24, 2026
But they could allow other 2fa apps, but they force their shitty one.
xboxnolifes•May 24, 2026
Microsoft also has this cool thing where if someone fails to get into your account too many times, your account can get locked and you are asked to reset your password. For a working password.
Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.
flexagoon•May 24, 2026
Their enterprise account system (active directory or whatever it's called) also has an awesome bug where if you accidentally reload the page during password reset, the link will no longer be valid, but your old password will already be invalidated. So you won't be able to log in at all untill IT staff manually changes your password.
alargemoose•May 24, 2026
I also had this starting a few months back. I changed the email address (really, just an alias to the same mailbox as before) and the notifications stopped.
okandship•May 24, 2026
big vendors asking users to inspect domains while spreading mail across unclear domains is part of the problem. publishing a signed, boring source of truth for official sending domains would help defenders a lot.
zer0tonin•May 24, 2026
I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...
r1ch•May 24, 2026
Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.
Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.
enkrs•May 24, 2026
I've been receiving these for so long I started thinking it must be just me being targeted and not widespread, as Meta seems to not do anything about it.
Emails comming legitimeley from noreply@business.facebook.com with the text below. Go and decypher which part is Meta template and which is creative use of user supplied text...
Your Meta's Page may be at risk due to unusual
activity is not part of or affiliated with
Meta. Only approve requests and invitations from
people and businesses that you know and trust.
Meta will never ask for passwords, payment
information or personal details in an email. You've
received a partner request. Partners are other
businesses that you work with on Facebook. Partner
sharing lets you give access to your business assets,
but not to your business portfolio. This request is
from:
Your Page is under restriction review Contact Meta
Support: metafanpageviolate@gmail.com Protect yourself
from fraud: Verify the identity of the requester by
contacting the business using official contact information.
drdec•May 24, 2026
I feel sad that what I think of as the obvious solution, companies using subdomains like internal.microsoft.com instead of making a million different domains, is so far from happening that no one here on HN has even brought it up.
kro•May 24, 2026
You are correct.
Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de
It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.
dpkirchner•May 24, 2026
Hell, they have .microsoft. Why'd they bother?
kro•May 24, 2026
I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
bsoles•May 24, 2026
My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.
epistasis•May 24, 2026
A keming attack in the wild...
CSMastermind•May 24, 2026
This happens all the time, it's a classic phishing tactic.
aftbit•May 24, 2026
I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.
ismaelyws•May 24, 2026
Damn. And this completely bypasses any anti-spoofing protection.
nipperkinfeet•May 24, 2026
This is a long-standing issue that has persisted for years.
20 Comments
Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?
Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.
This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.
This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.
Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
That's because people report them as spam, so they hop domains to avoid that.
The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.
I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises
This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).
The new cloud.microsoft domain for Office will possibly help, but it's still a heck of a long list - https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...
And IIRC this is just for office and windows, not azure.
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:
https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227
It’s not a good excuse…
I can easily see a social media company demanding an ID falling under this definition if the accuser believes that the actual use of said ID will be different or more expansive than implied. That is not an unreasonable assumption, IMO.
There should be a long list of companies whose policies are worse than theirs.
I was working in anti-spam at the time, so I was eyeballing a lot of raw email dumps and writing analysis scripts for "anomalous" urls, so it popped up fairly frequently.
https://web.archive.org/web/20000608173453/http://support.mi...
Would you please explain more?
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
[1] https://xcancel.com/Abishek_Muthian/status/18063480222902113...
Truecaller cannot accurately tell you whether or not the person calling you from a phone number is actually in control of that phone number.
The problem here is that the correct security posture of the bank against third-party scams also protects the customers from first-party scams. Telling people the bank will never call them for anything, and even if, they're to always hang up and call the number on the back of their card, works equally well against criminals and telemarketers.
If a bank calls their customers directly and trains them to get phished, the bank does not get to claim gross negligence when this happens and has to refund the customer.
If a bank tells their customers that they'll never call them (and actually doesn't), they have much better chances of claiming gross negligence on the part of the customer.
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
It mostly is, but Monero is pretty good.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
What are they, then? Sales/marketing calls? Or some security notifications ("we noticed some suspicious operations in the last 3 days...")? If it's the former, that's still scam in my books. Specifically, it's a first-party scam, as opposed to a third-party scam, where some third party pretends to be your bank.
They both should be treated similarly; unfortunately, you can't report first-party scams to police.
But the usual security call is exactly like a spam call, no authentication from their end, immediately requesting id verification "answer these security questions", and refusing to go off script.
People have been asking for years to be able to lodge a security challenge code on their profile that can add confidence in the caller. Given there are already multiple security questions on an account, this could be a process change: the security challenge script becomes "the first and sixteenth characters of your mother's maiden name are 7 and F, what are the third and fifth characters of your first pets name".
[0] https://www.starlingbank.com/news/starling-bank-launches-in-...
[1] https://monzo.com/help/monzo-fraud-category/monzo-call-statu...
[2] https://www.bbc.co.uk/articles/c1mj02vr0emo
Only to find the 2 pieces of ID were just for them to talk to me and ask for more documents. Rubbish like employment letters (uhhhh, how about YOU call my employer instead of me printing out the “letter” they’ll email me?) or tax return stuff mid-year.
I cut up the credit card and mailed the pieces to their legal department. Someone called me pretty quick and without any authentication hassles.
I generally say at some point before terminating the call "you should not train your customers to give out account access credentials to strangers" and the caller usually has no clue what I mean. Does no one in the security teams have theory of mind?
This will be the way I bring up the issue with the regulator if I do. I can think of many ways round this issue that would be much safer and not especially arduous.
Please tell us more context with regard to your UK banks making multiple unannounced calls demanding your ID ... were you an individual customer? finance director? MD? or what? Why on earth do they do that? Have you told them in writing not to? There must be more backstory to that.
Non-banking: getting a call out of the blue from my Internet Service Provider again demanding enough credentials to get access to my (business) account, and unable to understand why that was very poor practice. I used to like that ISP a lot, and have been with it for a looooooong time, but the angry exchange with who seems to have been my account manager has soured the relationship a lot.
Same app is used to auth to government pages and all kinds of stuff online, even purchases.
Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"
always though the agreement was: we don't call you, you call us. we'll send letters though.
"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"
it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.
Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.
Spam filters.
Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.
Easier to just keep paying.
...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:
https://whois.domaintools.com/microsoftonline.com
https://github.com/HotCakeX/MicrosoftDomains/blob/main/Micro...
but that one doesn't contain any microsoftonline.
“Always has been.”
https://www.techmonitor.ai/technology/microsoft_forget_to_re...
That's not a misconfiguration, that's incompetence.
How do these people get hired?
1. be government agency
2. pay 30-70% less than private sector companies would for a similar position
3. receive applicants that are 30-70% less competent
Bonus:
- have 30+ year old systems nobody understands anymore because the team behind them has been dead/retired for a decade
- have hiring process handled entirely by out of touch suits
- have a revolving door of motivated soon-to-be burnouts mopping up the mess behind the aforementioned regular employees
Imagine this is some truly errant copilot instance truly embracing its slop destiny.
lol
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
I submitted an account that sent phishing emails last week, but I’m told it’s basically a black hole and to not expect anything anything to happen.
When doing a WHOIS on that IP we'll get a contact address for abuse reports: "google-cloud-compliance@google.com", but sending anything there, returns an error that the user doesn't exists.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.
I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.
1 in 3 and easy to hit by mistake.
I can only envy your adroitness.
Isn't this only if browser have some cookie from previous session or IP didn't change?
Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.
Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.
Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.
Emails comming legitimeley from noreply@business.facebook.com with the text below. Go and decypher which part is Meta template and which is creative use of user supplied text...
Reminds me, we once got a letter by a German government body requesting some data exports from our company, and to upload them on findrive-ni.de
It turned out to be legit, but it's neither a subdomain of the state of Niedersachsen domain nor referenced in their official sites.