It seems that Microsoft is (perhaps inadvertently) employing dirty tactics to entice users like myself. Without having a Microsoft account, I am regularly receiving verification codes to log in. I’d usually dismiss these messages, but they come from official Microsoft.com domains. What’s more, I’m receiving hundreds of them. These messages may lead me to believe that someone else has created an account using my email address or that there’s a potential security risk associated with my email address.
By creating this sense of urgency and fear, Microsoft could be encouraging users like myself to create accounts out of concern for our own safety and the integrity of our personal data. This tactic plays on our natural desire for self-preservation and can lead us to take actions that may not have been initially intended.
However, it’s essential to note that this entire post is based on two facts:
- I’ve received hundreds of messages from official Microsoft domains claiming to have my verification codes.
- I don’t have a Microsoft account with that email address.
Is this a tactic that a middle manager can use to claim they brought in more users? Is this just another example of the awful tactics that Microsoft uses? Or is this post in the wrong community and it’s more of a bug that they should fix?
If someone gained access to your email there’s little chance they would use it for that purpose considering it’s far easier to just create email bot accounts. Scammers rarely leave you access to your account if they’re using it for SMTP. If the scammer is using your payment info, they’d be far safer from detection by using a different email address.
It might be this is a clever spearfishing campaign, or it could be someone confused/mistyped their address (frequently happens with TLDs). Also see this a lot with more newly created accounts, where the previous owner lost/gave up the email address, then either the old owner or attacker attempt to access an account protected by 2fa.
Did you check the DKIM signature?
Thanks for your reply. It’s down to earth, compared to my speculation 😅 . I checked the DKIM signature (as well as the rest of the header) and it appears to be a genuine Microsoft message. Now, as to the old account theory, it might not be true, because I tried logging into Microsoft and was told there was no account associated with my email address. I suppose this also reduces the probability of the confused/mistyped address, since that person would’ve gotten the same ‘No account associated with this email address’ message.
That is why I lean toward the spearfishing campaign. Of course, I could be missing something and I just haven’t noticed…
I did a little poking around on this and found a lot of people are experiencing similar issues with being spammed with unrequested microsoft login codes. Some of them do not have a microsoft account, either.
Saw these on reddit
In the cases where people are receiving hundreds of these emails, it looks like it’s probably a botnet campaign to steal ms accounts. The attacker script might, intentionally or unintentionally, attempt to create an account associated with that email address if one does not exist. Which would be mostly pointless if that were the case (but I can imagine a fairly complex and specific way that could result in a compromised ms account). You could test that theory and see if it sends you the same email. Depending on the volume and frequency, I might not fully rule out someone forgetting what their own email address, either.
If you don’t have, and never plan to have, a microsoft account (big ups) I think you can just mark this crap as junk and safely ignore it.