Key Takeaways
- Legitimate infrastructure can still deliver malicious content
- SPF, DKIM, and DMARC are no longer sufficient on their own
- Trusted cloud notification systems are increasingly abused for phishing
- OTP and MFA alerts should not automatically be considered safe
- User awareness remains critical against infrastructure-level phishing campaigns
The most dangerous security threats are often those that weaponize an organization’s own trusted infrastructure against it.
Recently, threat actors have found a highly effective way to exploit automated notification architecture. By abusing legitimate internal Microsoft notification systems, without breaching Microsoft itself, attackers are successfully delivering phishing content, spam links, and malicious payloads directly into user inboxes.
Because these emails originate from authentic, highly trusted Microsoft infrastructure, they seamlessly bypass traditional email security controls such as SPF, DKIM, and DMARC.
This emerging Microsoft OTP phishing attack demonstrates a growing industry problem: attackers no longer need to compromise infrastructure when they can simply manipulate trusted systems into delivering malicious content on their behalf.
Microsoft OTP Phishing Attack: Spoofing via Customization
The campaign, highlighted by Spamhaus, involves fraudulent phishing messages disguised as legitimate account verification or multi-factor authentication (MFA) alerts.
The emails originate from an authentic Microsoft service address:
msonlineservicesteam@microsoftonline.com
This is a legitimate internal account used for business-critical alerts and account verification workflows. Instead of exploiting a traditional vulnerability, threat actors are abusing automated notification logic itself. According to research shared by Spamhaus:
At this point, it appears the attacker may have simply set the malicious text as either the account name or the organization name… the activity we’re seeing appears to stretch back several months. Takeaway: automated notification systems should not allow this level of customization.
By injecting phishing links or malicious text into customizable account fields, such as organization names or display names during tenant provisioning, attackers can manipulate Microsoft’s automated notification templates to carry malicious content. The result is a fully legitimate Microsoft-generated email containing attacker-controlled phishing messaging.
Importantly, no Microsoft breach or compromise is required. The attackers are simply exploiting the platform’s trusted delivery mechanisms.
Forcing Microsoft to Deliver the Payload
To weaponize this trust chain, threat actors abuse legitimate Microsoft account workflows to trigger OTP verification emails toward victims.
Here is how the attack unfolds:
Step 1: Tenant and User Creation
The attacker creates a malicious Microsoft tenant under their control and provisions multiple user accounts inside it.
Example:
example@example2.onmicrosoft[.]com
Step 2: Accessing Security Controls
The attacker logs into the account and navigates to the Microsoft Security Info portal:
mysignins.microsoft[.]com/security-info
Step 3: Adding an Alternate Verification Method
Inside the portal, the attacker selects:
“Add sign-in method.”
They then choose to configure a recovery email address.
Step 4: Targeting the Victim
Instead of entering an address they own, the attacker inputs the target victim’s email address. Microsoft’s infrastructure immediately generates and sends a legitimate OTP verification email to the victim. Because the platform trusts the attacker-controlled tenant customization fields, the malicious content becomes embedded directly into Microsoft’s own notification template. The phishing email is then delivered from Microsoft’s authenticated infrastructure itself.
Why Traditional Email Security Fails Against Microsoft OTP Phishing
This technique breaks many of the assumptions modern email security relies on.
- Perfect SPF Alignment
- The emails genuinely originate from Microsoft infrastructure, meaning SPF checks pass cleanly.
- Valid DMARC Authentication
- Because the sending servers align correctly with the Microsoft-owned domains, DMARC validation succeeds without issue.
- Trusted Domain Reputation
- Secure Email Gateways (SEGs) often heavily trust core Microsoft administrative domains like
microsoftonline.com. As a result, many security filters reduce inspection or bypass advanced filtering logic entirely for these messages.
Employees are trained to trust Microsoft verification alerts, MFA prompts, and OTP notifications as part of their normal workflow, and attackers are exploit this operational trust at scale.
How to Detect Microsoft OTP Phishing Emails
Security teams should begin treating unexpected OTP notifications and MFA verification emails as potential phishing indicators, even when they originate from legitimate Microsoft infrastructure.
Common warning signs include:
- OTP verification emails you never requested
- Recovery email confirmations you did not initiate
- Suspicious organization or tenant names
- Embedded urgency or phishing language
- Unexpected links inside account verification workflows
- Strange or newly created Microsoft tenant branding
Organizations should also monitor for repeated OTP delivery attempts targeting employees across multiple departments, as these campaigns often scale rapidly once attackers identify responsive users.
The Broader Security Problem
This campaign highlights a growing challenge in cloud security architecture: modern phishing operations increasingly abuse legitimate infrastructure instead of relying exclusively on malicious infrastructure.
When cloud providers allow unvalidated user-controlled data to propagate into trusted notification systems, attackers gain access to some of the most effective phishing delivery channels available: legitimate enterprise communication platforms.
This creates dangerous blind spots for security operations teams because the emails are technically authentic.
As part of our commitment to proactive threat defense, we continuously monitor these infrastructure-level phishing evolutions alongside threat intelligence organizations like Spamhaus to ensure our detection engineering remains ahead of emerging bypass techniques.
Conclusions
The era of obvious phishing emails is fading. Today’s most effective attacks abuse legitimate cloud infrastructure, trusted notification systems, and authentic administrative workflows to bypass traditional defenses entirely.
Organizations can no longer rely exclusively on SPF, DKIM, and DMARC to stop modern phishing campaigns.
As attackers increasingly weaponize trusted infrastructure and legitimate notification systems, organizations need faster ways to identify, triage, and respond to malicious email abuse at scale.
Learn how PhishFort Abuse Mailbox Protection helps security teams streamline phishing intake, automate abuse workflows, and accelerate incident response.
