Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
dminiktoday at 8:56 AM
On a semi-related note, Microsoft security is genuinely terrible.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
bsolestoday at 1:56 PM
My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.
drdectoday at 1:10 PM
I feel sad that what I think of as the obvious solution, companies using subdomains like internal.microsoft.com instead of making a million different domains, is so far from happening that no one here on HN has even brought it up.
spike021today at 2:22 AM
A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
nipperkinfeettoday at 6:48 PM
This is a long-standing issue that has persisted for years.
ismaelywstoday at 6:42 PM
Damn. And this completely bypasses any anti-spoofing protection.
binaryturtletoday at 8:33 AM
I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
r1chtoday at 12:01 PM
Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.
Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.
aftbittoday at 5:32 PM
I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.
wnevetstoday at 2:01 AM
Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.
krotoday at 1:51 PM
I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
zer0tonintoday at 10:19 AM
I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...
okandshiptoday at 9:06 AM
big vendors asking users to inspect domains while spreading mail across unclear domains is part of the problem. publishing a signed, boring source of truth for official sending domains would help defenders a lot.