This appears to be a legit email from Micro$oft, but it’s clearly a scam as well. How on earth does M$ allow this to happen?
I’m not sure what the question is.
The return address in e-mail headers is infinitely forgeable. So you can’t trust anything it says. I’m actually surprised that most scammers don’t forge the legitimate return addresses in their headers.
If you look at the full set of message headers, especially the chain of Received: headers, you’ll probably see that the message didn’t originate from a Microsoft server, or if it did, not from the one used for accounting notifications.
As for how Microsoft allows it, if the message didn’t come from their server, they really can’t do much, although I’m sure they’d love to prosecute the people responsible, if that would be possible.
3 Likes
the email addresses are ‘onmicrosoft’ not microsoft - that’s how, they can’t police every domain I guess.
see the same kind of thing for many domains.
and haven’t we grown out of the ‘$’ ???
2 Likes
Oops. I missed that as well.
But it doesn’t matter. Even if the address is 100% correct, it is not proof that the message came through a Microsoft server or originated from a Microsoft account.
2 Likes
I got one as well and based on “googling” so did others!
David Tuma
FWIW, onmicrosoft.com is a Microsoft domain name. It’s what Microsoft assigns to organizations that license Office 365. It has an organization name in front, like organization.onmicrosoft.com.
So in this particular case the organization is using notificationm365. It should be easy, in fact, for Microsoft to suspend their license.
2 Likes
@Doug is right, it is a MS domain, no licence required though, you can get any number of free trials to get an account like “notificationm365”. MS can still shut such accounts.
Why unit price 360 and line total 395.10 ??
Why use $-sign and USD to denote the currency?
Also, wouldn’t you know that you ordered from MS today?
Again, you assume that just because the mail has a Microsoft domain name in the message header that it must have been processed by a Microsoft server.
Without seeing the rest of the headers, there is no way to know if that assumption is true or not.
3 Likes
This is similar to scam PayPal emails which make it sound like you’ve ordered something and it says they’re going to charge your card but it’s a scam and the emails do look legit enough.
1 Like
David, do you want me to paste in the headers? It’s a lot. Or tell me what line to look for? I’ve looked them over, and don’t see anything but microsoft.com and outlook.com.
Thanks for all the replies. I’m aware that email addresses can be spoofed, but I guess it makes me wonder why companies like MS and others don’t do more to keep it from happening. It certainly doesn’t put them in a good light.
1 Like
Sorry, I couldn’t resist. I don’t usually write it that way, but in this case, it somehow seemed appropriate. Apologies. 
Scams and phishing attempts can be reported to Microsoft here:
https://www.microsoft.com/en-us/concern/scam
1 Like
If you want us to help investigate, they’ll be required. The important ones are the ones that begin with Received:. Each mail server that the message passes through prepends one of these, so you can see where the message actually went - and it didn’t necessarily start from a Microsoft server.
The problem is that if I send mail with a Microsoft return address, but that message never passes through any Microsoft servers (e.g. I hacked some random server on the Internet and sent the spam through it), there’s not a whole lot Microsoft can do.
If they can conclusively identify where the mail came from, they might be able to contact the server’s administration or it’s ISP’s administration to get the offending account (or server) shut down, but they are going to be extremely cautious, because it would be far worse if they accidentally got an innocent bystander shut down.
And even if they get one account/server shut down, the scammers can just send the next batch through a different hacked server.
Ultimately, the only way to stop it is to work with law enforcement to hopefully identify the actual sender so he can be arrested and prosecuted. Which is extremely difficult, especially if the sender is operating in another country. These things do happen, but it takes a long time.
2 Likes
Thanks, but I’m not going to bother with the headers. Seems like more trouble than it’s worth, for all of us.
Discouraging that spam has gotten so sophisticated, but I supposed it’s not surprising either.
Thanks again all!
If someone sent you a physical letter with a fake bill and a Microsoft return address on it would you be wondering why MS didn’t stop them?
Another tool for revealing sources of spam and for reporting spam (note that some major companies don’t accept the reports, unfortunately) that I’ve used for years can be accessed here:
2 Likes
My day job is in cybersecurity at a major US university. Our users (faculty, staff, students and alumni) get LITERALLY thousands of these fake invoice scams EVERY day. Many purport to come from Google, Microsoft, Apple, or Best Buy, McAfee, or Symantec.
The template to create these is readily available in any number of dark web online storefronts. Even with the resources of a Microsoft, there is no way they can keep up with such scamming.
3 Likes
For awhile a large percentage of my spam came from spammers using “onmicrosoft.com”. It was the same spammers, over and over. Reporting to Microsoft didn’t seem to have any effect.
I didn’t realize you can sign up for free accounts.
I would need to see the raw headers on this email to determine if it’s legit or not. The email domains appear legit as others have noted, .onmicrosoft.com is legit. Meaning the notificationm365.onmicrosoft.com points to a real 365 Tenant which is a Microsoft 365 customer.
So providing the email isn’t spoofed and the email really did come from notificationm365.onmicrosoft.com and notificationm365 is legit then that means someone hacked the tenant or the tenant is a cyber criminal organization.
Microsoft works extremely hard to protect the backplane of Azure. It’s under constant assault that never ceases. But if their customers who they consider to be tenants in the Azure cloud get hacked. There’s not much Microsoft can do except to let them know and perhaps help them recover. If it becomes a larger problem then Microsoft will suspend the notificationm365 tenant.
Best to report this to Microsoft.