Reports indicate a bona fide Microsoft email address—which Microsoft explicitly tells customers to add to their allow list—is being used to send scam messages.
The messages come from [email protected], an address associated with Power BI. That Microsoft service delivers analytics and business intelligence from multiple sources and can consolidate them into a single dashboard. Microsoft documentation notes the address is used to send subscription emails to mail-enabled security groups. To keep spam filters from blocking it, the company recommends adding the address to allow lists.
From Microsoft, with malicious intent
An Ars reader reported that on Tuesday the address sent her an email falsely claiming a $399 charge had been made on her account. The message included a phone number to dispute the transaction. When she called to cancel the purchase, a man who answered told her to download and install a remote-access application—apparently so he could then control her Mac or Windows machine (Linux wasn’t permitted). The email, shown in the two screenshots below, looked like this:
Web searches turned up a dozen or so reports from others who said they’d received the same message. Some of the spam was reported on Microsoft’s own website.
Sarah Sabotka, a threat researcher at security firm Proofpoint, said scammers are exploiting a Power BI feature that lets external email addresses be added as subscribers to Power BI reports. A note about the subscription is tucked into the very bottom of the message, where it’s easy to miss. The researcher explained:
