by weinzierl
13 subcomments
- Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
- On a semi-related note, Microsoft security is genuinely terrible.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
- My employer's domain starts with "m". Bunch of people recently fell victim for a fishing email whose domain started with "rn". In Outlook 's font the two look almost identical.
- I feel sad that what I think of as the obvious solution, companies using subdomains like internal.microsoft.com instead of making a million different domains, is so far from happening that no one here on HN has even brought it up.
- A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
by binaryturtle
2 subcomments
- I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
by nipperkinfeet
0 subcomment
- This is a long-standing issue that has persisted for years.
- Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.
Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.
- Damn. And this completely bypasses any anti-spoofing protection.
- Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.
- I got a coinbase scam from @akamai.com once. One of their acquisitions had a bad SPF I believe.
- I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
- I got one of those random 2auth codes email and I assumed my password had been compromised. At least it's some kind of relief to know that it's only a compromised Microsoft email address...
- big vendors asking users to inspect domains while spreading mail across unclear domains is part of the problem. publishing a signed, boring source of truth for official sending domains would help defenders a lot.
- I mean, it happened to the FBI... https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-...
by MichaelZuo
3 subcomments
- How does it work when a genuine microsoft domain is spending out spam?
Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?
by ChrisArchitect
0 subcomment
- https://abnormal.ai/blog/system-notification-abuse-microsoft...
- Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.
Imagine this is some truly errant copilot instance truly embracing its slop destiny.
lol
- shocking..
- [flagged]
- [dead]
by sieabahlpark
0 subcomment
- [dead]
- Did anyone there try to ask ChatGPT to come up with a solution?
Hacker News