I think Microsoft has a general problem with getting rid of unwanted things within their eco-system. I keep complaining that their feedback.azure.com portal is filled with spam/malware comments and links, but even internally their teams can't reach anyone to get it fixed. Example https://feedback.azure.com/d365community/idea/9d0b22d8-c025-...
As another data point: MSFT have some sort of open mail server/service called onmicrosoft.com which (in my experience anyway) is only being used to send out fraudulent paypal messages. Because it lets the spammer set the From to service@paypal.com and also contains valid DKIM etc, it sails past spam filtering. There are so many complaints about this on (real) paypal.com forums, but Microsoft are apparently unable to do anything about it.
I think I read somewhere that scammers set up an email distribution list / alias / forwarding from one something.onmicrosoft.com account to dozens of victims, and then they trigger a (real!) paypal email with that one something.onmicrosoft.com address as the recipient. So the email has a valid DKIM signature from paypal, then microsoft forwards that email to all the victims, which will still pass DKIM while amplifying the attack (and maybe boosted by microsoft's SPF reputation as well) to hit as many people as possible. Apparently the paypal emails are real but dangerous as they will allow the attacker to somehow take over the victim's account if they log in, as the "middleman" onmicrosoft.com alias then becomes associated with the account which was the original "to"-email from paypal. Something like that, at least.
Messages pass DMARC because they originate at paypal servers (and have valid DKIM) but O365 abused to spread these messages and MS doing little to stop abuse.
Most email providers support mail forwarding and distribution lists, but maybe they should have added some sort of opt-in confirmation when adding recipients outside the local domain...?
onmicrosoft is "on microsoft" and is used behind the 365 company workspace. I have a onmicrosoft email for a 365 developer account, and anyone who connects to our company via teams seems to get a "{original_email}@{company}.onmicrosoft.com" ID setup, so I assume they're probably using it for things behind the scenes which also needs to void DKIM or something.
Feels like just adding a direct "don't send as paypal, apple etc" rules would probably work though.
I use (redacted).on Microsoft.com tenant which is free of cost to me as a sandbox to learn about office 365 admin stuff. I don't work on it every day but it is nice to have this sandbox. I don't send spam or phishing emails. I don't send emails from this tenant at all to others, only to my own email addresses or to people I know for testing purposes.
Presumably you don't send out emails appearing to come from service@paypal.com saying things like "Reminder: You've still got a money request", with an HTML body that looks exactly like Paypal but contains a fraudulent link and phone number, so you should be fine.
No, I didn't. I did get those emails a lot on my university dot edu email. I understand there are legacy/compatibility challenges with the telephone infrastructure but you'd think this problem is entirely solvable with emails. :/
This isn't really related to the parent comment, but I can't help myself from asking. I've been getting emails that look like they're from my own email address. They usually threaten to share my browser history unless I pay money. Has anyone else seen these kinds of scam emails? How can I stop them? I use two-factor authentication, so my account should be safe, but these emails still worry me. Any tips would be great!
If you are in control of the domain of your email address, enable SPF and DKIM for that domain, together with strict policies that mail servers should reject spoofed mails claiming to come from that domain. If your own mail server supports validating SPF and DKIM, you would no longer receive such forged mails, nor anyone else behind a mail server supporting SPF and DKIM.
If you aren't in control... just ignore it like any other spam mail.
The thing that enforces the existence of either SPF or DKIM is called DMARC, setting that to "reject" or "quarantine" is the most critical step for preventing forgeries like that.
E-Mail allows setting the From header to whatever you want. These mails won't have valid DKIM or SPF data because they're not sent through your mail server. There's nothing to worry about, it's just spam, your account isn't compromised (unless of course it is, and they're sending it through yours, but they likely wouldn't try to scam you like that then).
Just one of the quirks of e-mail we have to live with.
Huh, interesting, I just saw something like that in my spam filter for my own domain. It looked like some kind of an email forward from onmicrosoft.com, with the original email spoofed from my own domain with an email that doesn’t even exist on my domain.
Do not click the links or allow images to load, and you will remain safe. View the full raw email and look at the headers. Search who is registered for the domain in question. Contact their hosting provider.
Fortunately, it's still pretty easy to filter these out. No idea why PayPal is ignoring this issue (I forward them to phishing@paypal.com hoping something will happen).
Yes, they're originated by PayPal, but collected by a different original recipient and from there sent on to the victim. The envelope-recipient is not part of the material signed by DKIM, so the signature remains valid.
The To: header _is_ part of the signed material so will list the original recipient not the victim — but the attacker sets the recipient name/address to something misleading like “Order Received” to obscure this, and sets the store name to some long text that will be misleading when templated into the PayPal invoice request mail text.
PayPal have long had a problem with failing to make untrusted supplied text clear in their communications, but this is an unusually convincing attack.
I don't know why they always use (compromised?) onmicrosoft subdomains in particular. In the samples I've seen they're getting an SPF softfail so it doesn't seem MS's relays are passing SPF for paypal (sendgrid's might...)
At the same time they suspended my GitHub account which I had for more than a decade, maintained multiple big open source projects, and contributed in hundreds. Didn't even bother to provide any reason or reply to any of my requests. Worst experience of any IT service I had. I would never recommend using GitHub to anyone, and started donations to Codeberg and Forgejo.
These have got to be AI generated. The ones that mention details from the post are borderline comical:
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
<acknowlege and describe post you're replying to, use at least one "—">
<shill>
<shill + acknowledge>
How hard could it be to add "add a few grammatical and spelling mistakes. Use no emojis. Reply like someone on instagram" or something to the system prompt? I shouldn't give them ideas, but come on, that's low hanging fruit.
yeah, that was my suspicion as well, seems that AI generated content is mixed with seo-spam or malware. I even tried to report feedback.azure.com as a deceptive site to the major browsers, but they don't share my concerns ;)
There used to be some sort of forum they had, I don't remember what it was, MSDN forums or Technet or something, but it used to dominate search results, and all the answers were from like, senior hobbyists who couldn't suggest much more than restarting or suggesting checking for updates. Maybe that was before every search result was Reddit or SO though.
That's MSDN, and these "senior hobbyists" were given a badge by MS to look credible: "MVP" (most valuable professional).
Cherry on top: you used to pay to have an MSDN membership and access this wonderful community.
To be fair though, the early MSDN was really good, and in a distant past MVP was a real achievement (say early 2000s). Now it's a weird mix real issues and "my printer blinks red, how to fix?"
I don't think anyone reads MSDN at Microsoft anymore, it's a deadland, but I guess they generate some metrics of user engagement and product feedback from there.
I wasn't even talking about people who paid for a cert, just people signing up to try and help. They are generally more annoying then helpful to people who can do anything more than install and uninstall programs. Without a doubt every search result I found on that forum from someone having a similar issue never resulted in a useful lead.
> Without a doubt every search result I found on that forum from someone having a similar issue never resulted in a useful lead.
This was subsumed into answers.microsoft.com and it's turned into a few of those original "good with computers" retirees spending all day answering from within their own knowledge, now overwhelmed by countless individuals with names or flavors of English suggesting emerging economic zones "answering" everything with copy paste non-responsive responses.
If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
> This is so consistent, I wonder what is driving it.
Microsoft has a cert called "Most Valuable Professional" that gives out a ton of free stuff (free MSDN subscription, free admission to a conference that gives away hardware, etc). It also probably looks good on your resume to hiring managers who don't know any better. Renewing the cert involves doing "community work", and the easiest way to do community work is to post a lot on Microsoft's forums. Microsoft doesn't care about the quality of the posts, or whether they solve the problem, solely about the number. This is why whenever you look up a Windows issue and go to Microsoft's forums, you always see people posting the same copy-pasted "Hi, I'm a Microsoft community expert who has been providing independent Windows advice for the past 10 years. blah blah blah Have you tried running sfc /scannow?" response to every single problem.
> This was subsumed into answers.microsoft.com and it's turned into a few of those original "good with computers" retirees spending all day answering from within their own knowledge,
Ah yeah, this is exactly what I was referring to!
> If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
Yes! And if you are doing anything even slightly out of their grasp that requires doing something 'different', they assume you are doing something wrong or messing with stuff you shouldn't be, e.g. "You shouldn't be touching the registry" - ugh.
> This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
I think it really is just older people who 'like' computers but never learned that much about them. They found a zone where they can mostly be helpful to people who know a little less then them, which is fine, but they don't understand maybe they should not try and solve every problem.
Amazon has an ask a question feature and it will email a lot of people who previously bought the product, not sure how it works. Anyway, I saw tons of responses from elderly people with nonsense answers like “I don’t know the answers please don’t email me”. People felt compelled to respond, now I see why Nigerian prince scams are so successful.
There was a story recently that Reese Witherspoon was in a jury, and the other members of the Jury genuinely thought she was a lawyer because of Legally Blonde.
That kind of ridiculousness is way more common than you think. These people shouldn't be allowed to vote let alone try to assist in solving even remotely complex IT problems.
Also see Yahoo Answers, who got the gamification completely wrong (Stack Overflow later got it right). Users would answer "I don't know" to every question they saw, just to get a point for answering.
If only they had some kind of partnership with one of the big AI companies they might be able to leverage it to make their products, sorry, services better.
"We only sell the shovels, we don't use them, we don't think we have any holes needing dug."
I think I prefer spam to AI moderating the internet, to be honest (although I have little doubt that this feeling isn’t shared by big tech and almost all moderation is going to be done by AI)
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
