How did Microsoft email services became the primary source for spam?

Heh, I received a spam email through my gmail which bypassed the spam filters and decided to investigate. It had DKIM signing as the sender was an Exchange 365 mailbox. The spam message originated from an Amazon SES which hooked through a compromised Exhange 365 mailbox. I contacted Microsoft Security Response with the Exchange mailbox in question to get this bullshit response.

The activity reported is associated with a customer account within the Microsoft Azure service. Microsoft Azure provides a cloud computing platform in which customers can deploy their own software applications. Customers, not Microsoft, control what applications are deployed on their account.

So why are even we using DKIM at all if bad actors can abuse an open cloud TOS.

It's just you. Mine are from owned domains and Gmail.

Google has a problem where if you pay for a workspace account (or maybe even trial?) you get a temporary trust, which you can abuse for spamming, that gmail.com users don't get. So people open farms of workspace accounts (with fake id/ stolen CC?) and go wild.

I am just guessing, but O365 I cant remember its new name has been used by many businesses and I would expect the spammers are counting on business IT folks being lazy and just whitelisting o365's domains rather than custom per-company domain endpoints from O365. Meaning, sending from popular providers such as O365 or gmail is more likely to be whitelisted than one-off email provider domains. But I am just guessing.

Another possibility could be that receivers of email from O365 may not see an easy way to report the spam to Microsoft or perhaps Microsoft do not have enough folks dedicated to dealing with UCE/malware reports. Just my own experience, but when talking to Microsoft about this topic they would refer me to a partner Proofpoint which a former company ended up using to front-end O365. That left me with the impression they did not want to be in the business of dealing with UCE/malware reports and wanted to either automate it or outsource to a partner.

It must just be you. ~20,000 user org here and from my own statistical analysis, we get far more from Gmail than MSFT.

We also never get any response from Google when reporting spam campaigns or GApps compromises.

How? Probably the many millions of idle/stale accounts that had their passwords exposed on the hundreds of password database leaks.

Microsoft does seem to make it very easy to sign up for their accounts. I used to run a compute service that had a credit card -less free trial. It was peak crypto, so there were a lot of people creating outlook.com accounts, using that to create a Github account, and then logging into our service as a brand new user that way. They would then mine crypto for the duration of the free trial and then rinse and repeat.

I think at the time I went through Github's sign-up flow, and you didn't have to even verify your email address to be able to OAuth with your Github account. (I didn't try signing up for an outlook.com email address, so I'm not sure what that entails.) GMail, comparatively, appeared to be more paranoid. We eventually prevented outlook.com addresses from getting a free trial without talking to a human first, and the people looking for a free crypto-miner didn't come back. (They tried Proton as their second choice.) We never banned GMail, so I can only assume that people had a harder time signing up, which is pretty impressive on Google's part.

Lack of participation in DMARC by default certainly isn't helping. Not sending those reports makes all those exchange servers invisible during your DMARC deployment process, which makes deploying DMARC harder if you're on exchange, which makes it easier for people to impersonate your domain.

Microsoft has needed to fix this for years.

Truth? Inadequate spam control, even on E5 and most people are gullible and click-happy. It's equally astounding and frightening just how many compromised mail accounts are out there. Training is inadequate, with most security and IT orgs making excuses for their users.

For the last month or so, I've been watching GMail fight a losing battle in my inbox against a lone spammer using Outlook.com accounts to push a Yeti Cooler from Dick's Sporting Goods.

Every time they think they've got the bastard, he changes Goods to G00ds, or changes the subject line to "Confirmation Email", and it slips through again and hits my Primary, easy as pie. This happens at least a couple times a week.

All the cheesy tricks we thought stopped working 20 years ago are back in play for this one intrepid spammer. GMail just can't seem to stop itself from completely trusting just about any email from Outlook.com.

Now I'm wondering why more people haven't figured this out.

Yes. I know at least one way to create unlimited outlook accounts for 0$(no paid proxy needed, no phone number, just a captcha solver model that can run on any PC, you could get a million outlook accounts for 0$). I found this by accident, so there is probably dozens of ways to do this if you look hard enough.

There is also ways to get unlimited free premium exchange accounts.

Also most microsoft users are technically inept, so their accounts probably get hacked more often than other people.

These people coded Windows. No wonder nothing works as intended.

Cycled through several email providers to say confidently that rich widows, Nigerian princes & doctors selling OTC pain, antidepressants & penis enlargement meds still love Yahoomail & it Pro sibling with custom domain, the undisputed king of spam mail providers

We had a phishing email this week that Microsoft Defender let through. Its email body link was a Microsoft short URL like https://ncv.microsoft.com/ which then landed on another Microsoft URL that began with https://customervoice.microsoft.com/Pages/ResponsePage.aspx and showed a legitimate looking FAX/PDF download, which was the only link in the chain that was obviously some odd scam site.

The first link still works and it seems to redirect to a random scam page each time.

Most of my spam messages are attributed to gmail per Spamcop. However, for the past year, I get 1 or 2 a day that Spamcop says are from Microsoft.

Most of the ones from Microsoft servers are old Mailchimp messages (headers and body, hours to 10 years old) with 2 image links and 2 shortened links added.

Yahoo/AOL/Verizon does not detect them as spam.

I report to all involved and receive auto-responses and canned text. AWS is helpful, but Microsoft, Cloudflare and Zendesk are less than helpful.

The spam messages are useless without the images, so I concentrate on the image links. There seems to be an endless supply of free image hosting services.

I don't know about primary source, but it is absolutely impossible to get your own MXs whitelisted by Microsoft, eg if they are in OVH IP range.

Dunno if they still do this, but years ago when I created one email account per service I used (github/jobs/online orders), I didn't have to add a phone number or other 2fa to the Outlook addresses themselves inside Outlook, but I did have to do it for the Gmail addresses. That being said, after a certain period of time, I think Outlook eventually prompted me to add 2fa.

A big chunk of spam belongs to Google Workspace and Microsoft 365 nowdays. Worst being that Google shares servers for free and paid customers - we had a lots of email deliverability issues, because Workspace servers are constantly in spam lists! Filtering out *.onmicrosoft.com is a simple rule to delete tons of spam nowadays!

You've hit it with this phrase:

> "service abuse reports seem to make no difference"

Microsoft email services are being used to create these spam accounts as they are much more easier to setup and get running. And if a spammer is using a Windows based OS, setting up multiple mail accounts using the Mail app is almost a breeze (including managing those multiple email accounts).

Weird concidence, I had to troubleshoot why emails from my personal email were marked as spam by Outlook.

On the contrary, I mostly get spam from yahoo and gmail addresses.

Microsoft is pretty rare for me to see in spam.

Is all the other spam just getting completely dropped at the edge?

I got most of the spam from Google.