Scam Emails Spoofing Real Microsoft Addresses
▼ Summary
– A legitimate Microsoft email address (no-reply-powerbi@microsoft.com), which the company advises users to allow, is being used to deliver scam emails.
– The scam emails falsely claim a $399 charge and direct recipients to call a phone number to dispute it.
– When called, the scammer instructs victims to download a remote access application, likely to take control of their computer.
– Security researchers report scammers are abusing a Power BI feature that allows external emails to be added as report subscribers.
– The deceptive subscription notice is buried at the bottom of the email, making it easy for recipients to miss.
A sophisticated email scam is currently exploiting a legitimate Microsoft address to trick users into believing they have been charged for a service they never ordered. Security experts warn that this campaign is particularly dangerous because it originates from a verified Microsoft domain that companies are often instructed to trust. The emails, which appear to come from no-reply-powerbi@microsoft.com, mimic official Power BI subscription notifications but contain a fraudulent invoice and a phone number designed to initiate a tech support scam.
Microsoft’s own documentation confirms that this specific address is used to send legitimate subscription emails to mail-enabled security groups. To ensure these important notifications are received, the company advises IT administrators to add this sender to their email allow lists. This official guidance is now being weaponized by threat actors. The fraudulent messages falsely claim a recipient has been charged $399 and provide a phone number to dispute the transaction. When contacted, the scammer instructs the victim to download a remote access application, a classic tactic to gain control of a computer for theft or further malware installation.
Reports from multiple users confirm this is a widespread campaign. Online forums and even Microsoft’s own support pages contain accounts of individuals receiving the identical phishing email. The scam cleverly buries a mention of a Power BI subscription at the very bottom of the message, making it easy for a concerned recipient to miss this context and focus solely on the alarming fake charge. According to security researchers, the attackers are abusing a Power BI feature that permits external email addresses to be added as subscribers for reports, thereby hijacking a legitimate business function for malicious purposes.
This incident serves as a critical reminder that even emails from trusted domains can be malicious. Users should always scrutinize unexpected invoices or payment requests, regardless of the sender’s apparent legitimacy. Verifying charges directly through an official account portal, never by calling a number provided in a suspicious email, is the safest course of action. Organizations should review their security training to emphasize that sophisticated phishing attempts can spoof or misuse authentic corporate addresses, requiring constant vigilance from all employees.
(Source: Ars Technica)
