A sophisticated phishing campaign has turned Microsoft's own purchase notifications into an unlikely attack vector, leaving Windows users worldwide exposed to credential theft and malware. Security researchers at Kaspersky have uncovered a hybrid email-and-phone scam in which genuine Microsoft emails are weaponized to trick recipients into calling attacker-controlled numbers. The campaign, detailed exclusively by Forbes, marks a significant escalation in callback phishing tactics—and it is now expanding rapidly beyond the Google Gmail attacks that preceded it.
Unlike traditional phishing, which relies on spoofed domains and poorly written messages, this scheme exploits Microsoft's legitimate email infrastructure. The emails originate from the verified address [email protected], pass all standard authentication checks (SPF, DKIM, and DMARC), and mirror the exact formatting of an authentic purchase confirmation. The only telltale modification: the contact phone number buried in the billing section has been swapped for one controlled by the attackers.
The Anatomy of a Trusted Trap
A typical wave of attacks begins when a recipient opens an email thanking them for buying 55 Microsoft 365 Apps for Business subscriptions, racking up a charge of $587.95. No such order appears in the user's actual account, but the shock of a huge, unauthorized expense creates immediate urgency. The message contains no links to Microsoft's official support portal—only the fraudulent phone number. "The victim is left with little choice but to call the phone number provided," Kaspersky notes.
This design is deliberate. By funneling panicked users toward a single point of contact, attackers control the entire support experience. When the target calls, a trained scammer masquerading as a Microsoft representative answers. The conversation quickly steers toward "investigating the charge" by installing remote-access software, which is in fact malware. Victims have reported being asked to log into online banking to facilitate a "refund," handing over credentials directly.
The Technical How: Hijacking Legitimate Infrastructure
Kaspersky's team and independent analysts are still piecing together the exact method, but the prevailing theory involves abuse of Microsoft 365 trial subscriptions. Attackers open trial accounts, initiate purchase transactions, and during the checkout process enter the victim's email address as the recipient. Microsoft's system then generates and sends a real transactional email—complete with the attacker-customized billing details. Only the billing block, which typically includes a support phone number, can be edited by the sender. That tiny sliver of user-controlled content is the entire attack surface.
Alternatively, compromised credentials may allow criminals to log into existing Microsoft 365 accounts and fire off purchases using the victim's email as the notification target. In either case, the result is the same: a pristine, genuine-looking email that no spam filter would dare block, because it is from Microsoft itself.
A Pattern Cemented by Google's Earlier Breach
This scam is not without precedent. In the months prior, Google's Gmail users faced near-identical attacks. Criminals manipulated Google's official purchase emails—also from a no-reply address—to insert callback numbers. Google publicly warned users that it never communicates account issues via such emails, but the Microsoft variant is arguably more dangerous. A purchase confirmation feels more urgent and plausible than a generic account notice, and the enterprise-grade Microsoft 365 branding inspires greater trust.
The root cause is shared: large platform vendors allow limited user-editable fields in transactional messages, and attackers exploit that gap to plant contact details. Both campaigns underscore a systemic vulnerability in how tech companies handle automated customer communication.
Why the Attack Bypasses Traditional Defenses
Standard security advice—scrutinize the sender, avoid clicking links, look for poor grammar—fails spectacularly here. The emails are real, sent by Microsoft, and professionally formatted. They pass every automated check. The psychological lever is fear: an unexpected charge that demands immediate resolution. With no alternative contact method offered, users are nudged into the attacker's funnel. For employees at small businesses and non-technical home users, the sense of isolation is acute, often leading them to comply without a second thought.
The technique is part of a broader callback phishing surge. Guardio reported a 137% spike in tech support scams during 2025, with many campaigns now blending email and phone vectors. Security firm Kaspersky has tracked a rise in remote-access trojans delivered through these cons, which can lead to ransomware deployment or full account takeover.
Countermeasures: What Windows Users Must Do Now
Security experts from both Microsoft and third-party researchers are unanimous in their recommendations:
- Do not call any phone number found in an unsolicited purchase email, even if the email appears genuine.
- Verify transactions independently by logging into your Microsoft account dashboard via a browser, not through any link or prompt in the email.
- Contact Microsoft support only through official, publicly listed channels—navigate to the support page manually or use a known safe bookmark.
- Delete the email immediately if you cannot confirm the transaction and have no record of it in your account.
- For enterprise IT departments, reinforce training that emphasizes never using contact details from unsolicited billing messages. Deploy email security gateways that can inspect transactional patterns and flag anomalies, such as receipts addressed to accounts that rarely receive purchase notifications.
Individuals should also enable multi-factor authentication and keep Windows and security software up to date to limit the impact of any malware that might slip through.
The Missing Piece: What Microsoft Needs to Fix
Pressure is mounting on Microsoft to fortify its billing email system. Security advocates are calling for stricter input validation on the phone numbers and contact details allowed in purchase confirmations—for example, requiring that numbers match verified support lines or that user-editable fields be stripped from transactional emails altogether. Embedding a clear warning, such as "Microsoft will never ask you to call a number in this email to resolve billing issues," directly within purchase receipts could short-circuit many attacks.
Enhanced anomaly detection is also requested. Microsoft's abuse team could flag sudden spikes in purchases from trial accounts or patterns where the recipient's email differs from the account holder's. Public transparency reports on abuse of official communication channels would help the community gauge the threat's scale and evolution.
In a statement to Forbes, Microsoft acknowledged the issue and reiterated its commitment to user safety. The company urges customers to report suspicious emails via the Microsoft Security Intelligence portal and to practice general vigilance. However, as the attacks continue to evolve, the gap between defensive measures and criminal innovation remains a concern.
A New Era of Phishing: Trust as the Weakest Link
The campaign represents a watershed moment in social engineering. For decades, users were trained to trust emails from known senders. Now, that trust is being weaponized. The infrastructure that companies built for seamless customer communication—automated receipts, billing alerts, welcome messages—has become a delivery mechanism for fraud.
Experts emphasize that no amount of technical filtering can fully eliminate such threats as long as genuine mail systems can be abused. The most effective defense remains a skeptical human: pause, verify through alternative channels, and never act on panic. Organizations must update their threat models to account for the fact that an email's apparent authenticity is no longer a reliable indicator of safety.
The arms race between defenders and attackers has entered a new phase. As callback phishing continues to climb, the responsibility shifts not only to users but to platform providers. Stricter design of transactional emails, real-time alerting, and rapid response to abuse reports will be critical. In the meantime, for every Windows user staring at an alarming purchase receipt they never made, the safest reaction is the simplest one: delete it, and move on.