Rendered at 08:46:21 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
weinzierl 6 hours ago [-]
Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
Abishek_Muthian 4 hours ago [-]
Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
hunter2_ 3 hours ago [-]
Knowing what numbers are real through an official publication is very good, but it only allows you to place trust in calls you make, not calls you receive, because making calls doesn't involve caller ID, receiving calls does, and caller ID is spoofable.
4ndrewl 2 hours ago [-]
That's the number one rule though. If someone calls you claiming to be your bank, just say "I'll call you back"
smcin 1 hours ago [-]
Ask them their name/ last initial, employee ID or unique identifier for the conversation, direct phone number, job title and what location they're based at. Scammers will pretty much always refuse/argue/hang up on this (once I had one start insulting my mother in Hindi when I asked him this). Then call your bank's proper number and verify all of these details.
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
DamonHD 53 minutes ago [-]
Unfortunately my UK banks (and others) DO regularly make calls to me unannounced and demand my ID to 'prove who I am'. They are not scam calls and the callers cannot understand what they are doing wrong. If I'd had more strength in the last round of this stupidity I'd have done a number on them with the regulator. (I used to work in finance and was the director of a regulated financial entity, so I think I'd have a head start.)
Cider9986 44 minutes ago [-]
Yeah and people call crypto a scam.
It mostly is, but Monero is pretty good.
cuteboy19 44 minutes ago [-]
it is time we have a good industry standard for this stuff
lostlogin 27 minutes ago [-]
I dream of a time I don’t have a bank, or not in any traditional sense.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
bdavbdav 2 hours ago [-]
That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers
Abishek_Muthian 2 hours ago [-]
Several of the bank scammers had their profile verified as the bank in the Truecaller[1].
Microsoft is the 4th largest company in the world.
There should be a long list of companies whose policies are worse than theirs.
vasco 4 hours ago [-]
Sending your id to a social media IS a scam.
hvb2 32 minutes ago [-]
By email... Just to add insult to injury
fragmede 58 minutes ago [-]
What definition of the word scam are you using here? What promise of a product that you pay for that isn't being delivered, with uploading your id to a site on the Internet?
vasco 13 minutes ago [-]
I'm not gonna get hoodwinked into highbrow shenanigans. Social media doesn't need IDs to work, demanding it is a scam.
jquery 5 hours ago [-]
At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?
lostlogin 25 minutes ago [-]
‘We built it 30 years ago, it’s sort of compatible with everything and we will never deprecate.’
It’s not a good excuse…
WarOnPrivacy 3 hours ago [-]
> Who even can be sure microsoftonline.com is legit.
Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.
ntoskrnl_exe 33 minutes ago [-]
I got used to that one, but the other day I was checking Outlook in the web browser and I ended up on outlook.cloud.microsoft, I couldn't believe my eyes.
inetknght 5 hours ago [-]
> unable publish a list with all domains they officially use to send mail
That's because people report them as spam, so they hop domains to avoid that.
hnlmorg 37 minutes ago [-]
For a company with as much weight in the industry as Microsoft, it would be trivial to ensure their domains don’t end up on spam lists. Heck, because of outlook.com, they control have the spam lists themselves.
The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.
I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises
saghm 2 hours ago [-]
Okay, so then they should stop doing stuff like trying to push people to log into Windows with Microsoft accounts instead of offline credentials and then using that as an excuse to send out inane marketing emails that no one wants. "We're doing something shitty as a workaround for the consequences of other shitty things we do" isn't a particularly good reason for not acting so shitty.
...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:
Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
10000truths 5 hours ago [-]
> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
antiframe 3 hours ago [-]
Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.
seb1204 3 hours ago [-]
Why would that not be possible?
You can still do that and then once the rabbit is out add it to the main list.
Come on, don't let the good be the enemy of the perfect.
I'm sure there are several ways to find and list all domains.
What bothers me more is that they allowed to have different domains in the first place. Why not sub domains to make it clear.
SoKamil 3 hours ago [-]
> Who even can be sure microsoftonline.com is legit
Spam filters.
saghm 2 hours ago [-]
I'm either impressed by whatever spam filter you having literally zero false positives or negatives, or I'm confused about what you think it means to "be sure".
consp 1 hours ago [-]
I have plenty of false negatives, mostly due to companies in know I get a mail from using spamlike html mails, I always verify on the phone it is the mail they send to be sure but it happens way too often.
cess11 2 hours ago [-]
This was a common issue when I consulted with bankruptcy lawyers and had to figure out what domain assets the company had. Commonly the representatives only knew about some of the domains and we found at least a few more.
Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.
lostlogin 22 minutes ago [-]
Having a service crap out because someone didn’t pay for the domain is almost a trope. It never occurred to me that the reverse might happen - paying for unused domains.
binaryturtle 13 minutes ago [-]
I'm receiving daily about 20 to 30 spam mails from google servers. I'm sorting them into a separate SPAM folder for the "fun" of it.
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
spike021 6 hours ago [-]
A while back I had a reservation with a hotel on Booking and I received a phish attempt that came directly via the Booking site domain email and also DMs but "sent" by the hotel. When I looked into it at the time, it seemed less like an issue of hotels specifically having their accounts infiltrated and more like some kind of message/email endpoint on Booking's end was being abused in a similar manner.
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
wnevets 7 hours ago [-]
Is something similar happening with paypal? I've been getting seemly emails from the PayPal domain that are obviously a scam.
redwall_hp 6 hours ago [-]
The ones I've seen from PayPal are basically from sending a large request for money to you, then in the freeform text field for the reason, putting fake "if you believe this is a scam, call [actually a scam number]" text.
casty 4 hours ago [-]
I can confirm. Interestingly they actually put a random USDC transaction number from Coinbase which was very close (close enough that I thought it was accurate) of a transaction I actually did on Coinbase at one point. I was so confused so I ended up calling the number but immediately realized once they picked up what was going on. Essentially they got really lucky that my actual transaction amount was close enough to seem plausible.
This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.
duskwuff 4 hours ago [-]
> This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items.
This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.
Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".
That's not a misconfiguration, that's incompetence.
How do these people get hired?
MichaelZuo 7 hours ago [-]
How does it work when a genuine microsoft domain is spending out spam?
Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?
lelandbatey 6 hours ago [-]
The domain is Microsoftonline.com
Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.
privacyfish 6 hours ago [-]
[flagged]
huflungdung 7 hours ago [-]
[dead]
avazhi 58 minutes ago [-]
Pretty apropos and quite ironically encapsulates what Microsoft has turned into over the past few years in particular.
Imagine this is some truly errant copilot instance truly embracing its slop destiny.
But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.
Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.
(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)
It mostly is, but Monero is pretty good.
I’d been hunting for ways to use a Wisecard standoff a bank but got a bit wary of what would happen if they went bust. Government backed guarantee do not exist for Wise.
[1] https://xcancel.com/Abishek_Muthian/status/18063480222902113...
They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:
https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227
There should be a long list of companies whose policies are worse than theirs.
It’s not a good excuse…
Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.
That's because people report them as spam, so they hop domains to avoid that.
The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.
I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises
...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:
https://whois.domaintools.com/microsoftonline.com
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
Spam filters.
Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.
Who to contact? How to make Google stop? Where to report the abuse of their services? I can't find out. The whole service is basically a big <bleep> off and "we don't want any contact."
Maybe I also need to publish some article, so it can be published here on HN? Maybe that could give it some traction for someone at Google to look into it?
I'm not sure this is the same type of issue but found this interesting, especially since apparently it's been reported to MS and no action has been taken.
This is a failure on PayPal’s email template that the freeform text field appears just as legit as other items. The text label was something like “Message from Sender”.
This is a somewhat common pattern in scams - abusing freeform text fields in emails or other messages to give the impression that a message is coming from a source that didn't intend to send it.
Another variant I've seen is malicious URLs linking to search engines which display the user's search terms, e.g. a link to a Microsoft site search with a prefilled search of "YOU HAVE A VIRUS, CALL MICROSOFT SUPPORT 555-1212".
That's not a misconfiguration, that's incompetence.
How do these people get hired?
Do other email providers penalize that specific domain only, or all microsoft domains to a tiny degree?
Typically it's a mis-placed feature. Something like "send an email alert when a thing happens" and they let you control what goes in the message body as well as who the message should be sent towards. Sounds reasonable on the surface, but without guardrails it lets folks send arbitrary emails from your domain.
Imagine this is some truly errant copilot instance truly embracing its slop destiny.
lol