It seems that Microsoft is (perhaps inadvertently) employing dirty tactics to entice users like myself. Without having a Microsoft account, I am regularly receiving verification codes to log in. I’d usually dismiss these messages, but they come from official Microsoft.com domains. What’s more, I’m receiving hundreds of them. These messages may lead me to believe that someone else has created an account using my email address or that there’s a potential security risk associated with my email address.

By creating this sense of urgency and fear, Microsoft could be encouraging users like myself to create accounts out of concern for our own safety and the integrity of our personal data. This tactic plays on our natural desire for self-preservation and can lead us to take actions that may not have been initially intended.

However, it’s essential to note that this entire post is based on two facts:

  1. I’ve received hundreds of messages from official Microsoft domains claiming to have my verification codes.
  2. I don’t have a Microsoft account with that email address.

Is this a tactic that a middle manager can use to claim they brought in more users? Is this just another example of the awful tactics that Microsoft uses? Or is this post in the wrong community and it’s more of a bug that they should fix?

    • snek_boiOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      I agree that avoiding Microsoft is a good measure. However, my fear was that someone had successfully hacked my email or had somehow set up a Microsoft account ‘on my behalf’. If someone opened a Microsoft account with my email and impersonated me, I wouldn’t be able to safely ignore the emails 🥲 But I get and agree with the broader point that we should stay away from Microsoft!

      • USSR Enjoyer@lemmygrad.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        If someone gained access to your email there’s little chance they would use it for that purpose considering it’s far easier to just create email bot accounts. Scammers rarely leave you access to your account if they’re using it for SMTP. If the scammer is using your payment info, they’d be far safer from detection by using a different email address.

        It might be this is a clever spearfishing campaign, or it could be someone confused/mistyped their address (frequently happens with TLDs). Also see this a lot with more newly created accounts, where the previous owner lost/gave up the email address, then either the old owner or attacker attempt to access an account protected by 2fa.

        Did you check the DKIM signature?

        • snek_boiOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Thanks for your reply. It’s down to earth, compared to my speculation 😅 . I checked the DKIM signature (as well as the rest of the header) and it appears to be a genuine Microsoft message. Now, as to the old account theory, it might not be true, because I tried logging into Microsoft and was told there was no account associated with my email address. I suppose this also reduces the probability of the confused/mistyped address, since that person would’ve gotten the same ‘No account associated with this email address’ message.

          That is why I lean toward the spearfishing campaign. Of course, I could be missing something and I just haven’t noticed…

          • USSR Enjoyer@lemmygrad.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            I did a little poking around on this and found a lot of people are experiencing similar issues with being spammed with unrequested microsoft login codes. Some of them do not have a microsoft account, either.

            Saw these on reddit

            I keep getting these codes and I literally don’t have an account for that email. When I try and log in it says “no account under this email”

            If you don’t already have an MS account ( i have google) and after you enter your email address, it sends and requests the code so that MS can open an account with them. It never requests a password in this case. I tested it myself. I believe its a brute force attack on our email addresses… even though with a 7 digit code there are 10 million possible combinations… Its freaking me out regardless.

            In the cases where people are receiving hundreds of these emails, it looks like it’s probably a botnet campaign to steal ms accounts. The attacker script might, intentionally or unintentionally, attempt to create an account associated with that email address if one does not exist. Which would be mostly pointless if that were the case (but I can imagine a fairly complex and specific way that could result in a compromised ms account). You could test that theory and see if it sends you the same email. Depending on the volume and frequency, I might not fully rule out someone forgetting what their own email address, either.

            If you don’t have, and never plan to have, a microsoft account (big ups) I think you can just mark this crap as junk and safely ignore it.