All articles

Knowledge

Scammers Sent Spam From Microsoft's Real Address. Can Anyone Do That With Yours?

Attackers had to break into Microsoft's systems to abuse its name. Abusing most other domains takes no break-in at all, just a few DNS records nobody set up. Here's the fix that protects your business and gets your email delivered.

June 17, 2026 · Confidanti · 3 min read

  • news
  • email
  • dns
  • deliverability
  • impersonation

Earlier this year, researchers caught scammers sending junk mail from one of the last addresses you'd expect: msonlineservicesteam@microsoftonline.com, a genuine Microsoft notification account. They'd registered as new customers and bent Microsoft's own systems into sending scam messages that arrived looking like the real thing.

The detail that makes this worth your attention: nothing was forged. The mail genuinely came from Microsoft, so there was no fake sender for a spam filter to catch.

Outsiders can't simply send mail that appears to come from microsoftonline.com and reach inboxes. Microsoft's domain is configured to stop exactly that. Which is why the scammers had to take the hard, expensive path of getting inside the real system to borrow the name.

So ask the uncomfortable question: how hard would it be for someone to send email that looks like it comes from your business? If your domain isn't set up to prevent it, the answer is: trivially. The email protocol itself allows anyone to put you@yourcompany.com in the "From" line from any server on the internet, and nothing stops the message from landing in your customer's inbox as you.

The lock lives in your DNS

What stops impersonation is a set of records in your domain's DNS settings — collectively, email authentication. You don't need to administer them yourself, but it's worth knowing the three pieces by name, because they'll come up the moment anyone looks:

  • SPF is the guest list of mail servers allowed to send for you.
  • DKIM is a tamper-proof seal proving a message really came from you.
  • DMARC ties them together and tells receiving servers what to do with mail that fails — and sends you reports on who's using your name.

When these are missing, your domain is the easy target the Microsoft scammers didn't have. It's also a common gap we find. Scan a typical business domain and two findings come back, both rated HIGH:

HIGH — No SPF record. Receivers cannot validate that mail claiming to be from this domain comes from authorized servers.

HIGH — No DMARC record. Without it, receivers have no instruction on how to handle messages that fail.

That last line is the whole problem in a sentence: a forged message arrives, and nothing happens, because no one ever told the receiving server to care.

One fix, two payoffs

Getting this right does two jobs at once, which is what makes it the rare security task with an immediate business upside.

It protects your name. Set up correctly, it stops outsiders from impersonating your domain. A scammer can't email your customers, suppliers, or staff as you, asking them to pay a fake invoice or reset a password.

It gets your real email delivered. The same setup is now the price of admission to the recipient's inbox. Since 2024, Google and Yahoo have required senders to authenticate their mail or risk having it rejected, and the same signals quietly decide whether your mail lands in the inbox or the spam folder. The properly configured domain is the one whose messages actually arrive.

Getting it right

This is a project with simple tasks that stretches over a couple of weeks, because of the rollout monitoring. The one thing to get right is the order: turn on the protections, but start in monitoring mode first so you can confirm your own legitimate mail (the newsletter tool, the invoicing app, the CRM) still passes, then switch on enforcement. Flip it the other way and you can send your own email to the spam folder. Done carefully, it's a one-time setup that keeps paying off.

The honest limit

This locks down your exact domain. It doesn't stop a lookalike — yourc0mpany.com with a zero, or a friendly display name over a stranger's address. Those are a different layer, and a big reason employees still need to spot a phishing email when one slips through.

But the exact-domain lock is the foundation, and most businesses simply don't have it. The Microsoft story only made the news because abusing Microsoft is hard. Make abusing your business hard, too — it's a few records and a couple of weeks monitoring the results.

Not sure what your domain says about you? A DNS and email check is part of every Confidanti exposure scan — talk to us and we'll show you exactly what an attacker sees.