{"id":38212,"date":"2025-05-30T00:05:51","date_gmt":"2025-05-29T22:05:51","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=38212"},"modified":"2025-05-30T21:18:01","modified_gmt":"2025-05-30T19:18:01","slug":"microsoft-phishing-with-ms-365-tenants","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/05\/30\/microsoft-phishing-with-ms-365-tenants\/","title":{"rendered":"Microsoft Phishing with MS 365 tenants?"},"content":{"rendered":"

\"Mail\"[German<\/a>]I'd like to discuss an email I allegedly received from Microsoft regarding an \"expiring tenant\". Something needs to be ordered because the tenant, which has been inactive for more than 200 days, will otherwise expire. Is it a legitimate mail or phishing, that is the question here? Spoiler: I have failed first to answer the question with 100 % certainty. Then a German blog reader directed me to the right platform – and yes, the phishing mail is a legit Microsoft mail – WTF!<\/p>\n

<\/p>\n

Strange mail \"from Microsoft\"<\/h2>\n

\"\"It was an email that reached me in my free German outlook.com<\/em> account used for testing and immediately set all the alarm bells ringing. Only a few emails actually arrive on this account – and these usually come from Microsoft (see screenshot below).<\/p>\n

\"Microsoft<\/p>\n

On May 26, 2025, I received an email (bottom entry in the list above), allegedly from Microsoft, with the title \"Action required: Make a purchase by June 26, 2025 to continue using your tenant\", which I received in a Thunderbird notification. The mail was already classified as SPAM in Thunderbird (see the red arrow in the screenshot above). I had overlooked this at first and quickly wanted to know what was going on, so I looked at the mail.<\/p>\n

\"Microsoft<\/p>\n

The email informs me that my Microsoft Entra ID tenant with the specified ID will expire because it has been inactive for 200 days. I should make a purchase by June 26, 2025, otherwise a new tenant would have to be purchased. The email also contains links to make such purchases. Here is an excerpt of the relevant information:<\/p>\n

Complete a purchase by June 26, 2025 to keep your account active<\/b><\/p>\n

You are receiving this email because your associated Microsoft Entra ID tenant (tenant ID 8070a59f-f33f-4cc8-8c9a-8adcfe0285f4) has been inactive for more than 200 days.<\/p>\n

Required action: To continue using your tenant, make a purchase before June 26, 2025. If you don't make a purchase before this date, your next purchase with Microsoft will require a new Microsoft Entra ID tenant to continue using Microsoft services.<\/p>\n

Make a purchase\u00a0 *https:\/\/portal.azure.com\/<\/p><\/blockquote>\n

But I don't know, that I use a Microsoft Entra ID tenant and can't do anything with this stuff. On the other hand, Microsoft marketing is in the habit of changing its product names like other people change their underwear. Could it be that some free e-mail account is suddenly sailing as a Microsoft Entra ID tenant? Or was it an Office 365 account that Microsoft unintentionally gave me 10 years ago?<\/p>\n

I then realized while writing the German edition of this post: The email was marked as SPAM in Thunderbird (suspicious) – but came through to Microsoft in the outlook.com mailbox – did their SPAM filter possibly goof up, or is the email legitimate? The content of the message didn't look trustworthy to me – why should I buy something if the tenant has been inactive for more than 200 days – a registration should be enough? But it was already midnight when the email arrived, so I saved it and put the analysis on hold. I tried to analyze it while writing this blog post.<\/p>\n

What's behind the destination address<\/h2>\n

In the screenshot above, the Make a purchase target link<\/em> is displayed in the footer. It is a \"safe link\" for emails from azure.net, but it has a redirect to a URL of the azure.com<\/em> portal.<\/p>\n

*ttps:\/\/nam.safelink.emails.azure.net\/redirect\/?destination=\r\nhttps%3A%2F%2Fportal.azure.com%2F&p=\r\nbT02ZmU5NGNkZS1jNjA1LTQ5MmQtOGUzZC1iOTUxNzVhYzhhOD\r\nUmdT1hZW8mbD1idXR0b25fbWFrZV9hX3B1cmNoYXNlX19fXzEw<\/pre>\n
The redirect is passed a meaningless string (presumably encoded or obfuscated) as a parameter. This is very suspicious and probably the reason for the SPAM flagging by Thunderbird.<\/p>\n
According to Microsoft, Safe Links enable the scanning of URLs and the rewriting of incoming email messages during email traffic as well as the checking of URLs and links in email messages, Teams and supported Office 365 apps at the time of clicking. According to this Microsoft support article<\/a>, the scanning of safe links is in addition to the regular spam and malware protection.<\/p>\n
And in this Microsoft document<\/a>, it says somewhere in the text that if you are not sure about the source of an email, you should check the sender. If an email comes from the Microsoft account team at [any microsoft.com address], you know it's legitimate.<\/p><\/blockquote>\n
Checking the destination<\/h3>\n
If you don't look too closely, you could be fooled by the safe link and the URLs. I therefore called up the target URL in the incognito mode of a browser (you shouldn't really do this as an inexperienced user) and was shown the following.<\/p>\n
\"Fake<\/p>\n
I was redirected to an alleged Azure page to sign in to my Tenant account (see screenshot above). What is immediately disturbing is the blue background – Microsoft has been using a special background for its login pages for several months (see my German blog post Microsoft hat Online-Anmeldung im M\u00e4rz 2025 \u00fcberarbeitet<\/a>). The login page should now look as shown below.<\/p>\n
\"Microsoft<\/p>\n
What does Virustotal say?<\/h3>\n
As a quick check of such a URL for the target page, I usually ask virustotal.com – there you can copy the URL and get an assessment of x virus scanners. It often works and you get a warning.<\/p>\n
\"Virustotal<\/p>\n
The screenshot above shows that the site is classified as \"clean\" by 97 virus scanners. So everything is in the green? There is something wrong and I had to assume that virustotal.com was making a mistake.<\/p>\n
Check within the developer console<\/h3>\n
My next attempt was to inspect the login page in the browser's developer console. This request was already acknowledged with a big warning.<\/p>\n
\"Warnung<\/p>\n
It kind of stinks – the developer console refuses to resolve to the Azure portal.<\/p>\n
Is it SPAM?, attempt to analyze<\/h2>\n
At this point I could have deleted the mail as SPAM. Thunderbird's verdict was clear, but it could still be a false alarm. I therefore wanted to take a closer look at what was going on and prepare the topic in more detail for my blog readers.<\/p>\n
What does the header say?<\/h3>\n
I then inspected the header of the mail in Thunderbird and got the following information.<\/p>\n
X-Mozilla-Status: 0001\r\nX-Mozilla-Status2: 00000000\r\nReceived: from AS8PR08MB6087.eurprd08.prod.outlook.com (2603:10a6:20b:29c::12)\r\n by GVXPR08MB10500.eurprd08.prod.outlook.com with HTTPS; Mon, 26 May 2025\r\n 16:24:17 +0000\r\nReceived: from DU6P191CA0023.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:540::17)\r\n by AS8PR08MB6087.eurprd08.prod.outlook.com (2603:10a6:20b:29c::12) with\r\n Microsoft SMTP Server (version=TLS1_2,\r\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8769.24; Mon, 26 May\r\n 2025 16:24:16 +0000\r\nReceived: from DB1PEPF000509FD.eurprd03.prod.outlook.com\r\n (2603:10a6:10:540:cafe::ca) by DU6P191CA0023.outlook.office365.com\r\n (2603:10a6:10:540::17) with Microsoft SMTP Server (version=TLS1_3,\r\n cipher=TLS_AES_256_GCM_SHA384) id 15.20.8769.25 via Frontend Transport; Mon,\r\n 26 May 2025 16:24:16 +0000\r\nAuthentication-Results: spf=pass (sender IP is 20.98.194.70)\r\n smtp.mailfrom=microsoft.com; dkim=pass (signature was verified)\r\n header.d=microsoft.com;dmarc=pass action=none\r\n header.from=microsoft.com;compauth=pass reason=100\r\nReceived-SPF: Pass (protection.outlook.com: domain of microsoft.com designates\r\n 20.98.194.70 as permitted sender) receiver=protection.outlook.com;\r\n client-ip=20.98.194.70; helo=mail-nam-cu07-bn.eastus2.cloudapp.azure.com;\r\n pr=C\r\nReceived: from mail-nam-cu07-bn.eastus2.cloudapp.azure.com (20.98.194.70) by\r\n DB1PEPF000509FD.mail.protection.outlook.com (10.167.242.39) with Microsoft\r\n SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8769.18\r\n via Frontend Transport; Mon, 26 May 2025 16:24:16 +0000\r\nX-IncomingTopHeaderMarker: OriginalChecksum:50D66B43F75B5279726AC9419C9F53151E9D7FF13A469527B23E1F689F621B80;UpperCasedChecksum:47662D1C63A1B049D645E226224F4A4E7A7AEC9E871EE4DD3FAD000A6AFCF88A;SizeAsReceived:831;Count:9\r\nDKIM-Signature: v=1; a=rsa-sha256; d=microsoft.com; s=s1024-meo;\r\n\tc=relaxed\/relaxed; i=microsoft-noreply@microsoft.com; t=1748276655;\r\n\th=from:subject:date:message-id:to:mime-version:content-type;\r\n\tbh=UQhV0VORpQFBtrrT4sem5dhxcqk0olTGAQFIJf8GT6s=;\r\n\tb=tGrkbudiLBVnur49OvxW7Zqc\/XBLDDqDMtBGW7Szu0KrTG0dyMX6BLQihIy2A4O9riuT45lNQsO\r\n\tTMPIs27AmAhg6HOpTzD0abf1TjSKhXSj1bv8Y3z8JkjSCaqLVlWgY6280LriDPrdOoFOxXK9n7OTC\r\n\tEYNGOeGBl3nnWE\/2+FU=\r\nFrom: Microsoft <microsoft-noreply@microsoft.com>\r\nDate: Mon, 26 May 2025 16:24:15 +0000\r\nSubject: Action required: Make a purchase by June 26, 2025 to continue using\r\n your tenant\r\nMessage-Id: <6fe94cde-c605-492d-8e3d-b95175ac8a85@az.eastus2.microsoft.com>\r\nReturn-Path: azure-noreply@microsoft.com\r\nTo: *****@outlook.de<\/em>\r\nContent-Type: multipart\/alternative; boundary=\"=-bL7AEVxXhKA6qM\/rW3\/B9g==\"\r\nX-IncomingHeaderCount: 9\r\nX-MS-Exchange-Organization-ExpirationStartTime: 26 May 2025 16:24:16.4849\r\n (UTC)\r\nX-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit\r\nX-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000\r\nX-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit\r\nX-MS-Exchange-Organization-Network-Message-Id: e5cac02f-5500-49c5-7938-08dd9c71c27f\r\nX-EOPAttributedMessage: 0\r\nX-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0\r\nX-MS-Exchange-Organization-MessageDirectionality: Incoming\r\nX-MS-PublicTrafficType: Email\r\nX-MS-TrafficTypeDiagnostic: DB1PEPF000509FD:EE_|AS8PR08MB6087:EE_|GVXPR08MB10500:EE_\r\nX-MS-Exchange-Organization-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com\r\nX-MS-Exchange-Organization-AuthAs: Anonymous\r\nX-MS-UserLastLogonTime: 5\/26\/2025 11:06:05 AM\r\nX-MS-Office365-Filtering-Correlation-Id: e5cac02f-5500-49c5-7938-08dd9c71c27f\r\nX-MS-Exchange-EOPDirect: true\r\nX-Sender-IP: 20.98.194.70\r\nX-SID-PRA: MICROSOFT-NOREPLY@MICROSOFT.COM\r\nX-SID-Result: PASS\r\nX-MS-Exchange-Organization-SCL: 1\r\nX-Microsoft-Antispam: BCL:2;ARA:1444111002|9400799033|68400799013|22402599018|10300799035|461199028|21080799006|12005499003|1680799057|970799057|5101999024|9000799050|28045499009|1290799030|4302099013|440099028|3412199025|18021999003|33101999003|21101999018|16125499006|17072799003|1360799030|1370799030|1380799030|56899033|1602099012;\r\nX-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2025 16:24:16.2083\r\n (UTC)\r\nX-MS-Exchange-CrossTenant-Network-Message-Id: e5cac02f-5500-49c5-7938-08dd9c71c27f\r\nX-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa\r\nX-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509FD.eurprd03.prod.outlook.com\r\nX-MS-Exchange-CrossTenant-AuthAs: Anonymous\r\nX-MS-Exchange-CrossTenant-FromEntityHeader: Internet\r\nX-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000\r\nX-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6087\r\nX-MS-Exchange-Transport-EndToEndLatency: 00:00:01.4284569\r\nX-MS-Exchange-Processed-By-BccFoldering: 15.20.8769.014\r\nX-Microsoft-Antispam-Mailbox-Delivery:\r\n\tucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000308)(920221119095)(90000117)(920221120095)(90005022)(91005020)(91035115)(9050020)(9100341)(944500132)(4810010)(4910033)(9575002)(10195002)(9320005)(120001);\r\nX-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z\r\nX-Microsoft-Antispam-Message-Info:\r\n\t=?utf-8?B?aDc5OVpXM2M0T2syRnZlVkJoZzhqYjV4VmFTK1dqNzB4R0ZHTEc0aVlhUytk?=\r\n =?utf-8?B?S1RocS9FQWZ4WGZlRlMwcE4wZEFKS0J5clY3Qm9lbWduclVaOVkwdGQzaTFP?=\r\n =?utf-8?B?UE41TytEZW1VSDRzay9DTnl2N2JQNDNFck9tODZnSGxYMWM2NjNjVjFEOXJV?=\r\n =?utf-8?B?L0JXWWdwWjd1RmtPdWlYbks2dURKMkNkaWZhTFA1SHFud0p1YlVzY2ZVMDZF?=\r\n =?utf-8?B?MTVyQ1ltejZrU1lwejY1SDh3RllPSjliSzBCSWhxQkxKTGVmY2NtaTBTZzFL?=\r\n =?utf-8?B?bkxWVFVlUVZQcCt5VnFhRTZkK1h3ZzRsM2tFOUtJUk8wNTFaVWZpYkNYSmQw?=\r\n =?utf-8?B?eTJhQXg3WitPZFVoc0lyR240UFp1eU93VVpXS29vUHgyNWEvUkxBUnNPL2M4?=\r\n =?utf-8?B?eFFLNURYS0JzMUhGNFlvY3RoZjNhN1R4enRQK05vcHB1dXBjaXJnVzVPNXJN?=\r\n =?utf-8?B?Vm5JaGJGMmhmQWJzUWxHZ1BXb1YzK3NIZTNRa3pBQXhaYXllUWpFRGEwWDR0?=\r\n =?utf-8?B?TU1UQWVEcUJHZ3M1bkJMODh0cGZVTEtyVTBrY1VrV1N1SEttRzBHNGhXV1Fx?=\r\n =?utf-8?B?WHJWZ2tGU2lEMlF6Q3BtbDNEdlovRHhJRVhHZmdaclZmZVBSZVdOdVJpZUZ1?=\r\n =?utf-8?B?Qjh4TmR0aVZCUE52dk1UR1dHN3hsQ3l6R2tGaFJ6Q1ZNVWlRZnpvcEc0dnZN?=\r\n =?utf-8?B?STZWb20wVU5pUzJCaVFmYithaDNUaysxS3I0R1ZDUi9vYnlBa3ByZGsyRk0r?=\r\n =?utf-8?B?a3J1TE9lR2hEc3ZFSVZYZitKNmV3Y3FJSDNvY3Ewc1dSVDcycmZqNUQ1TG1W?=\r\n =?utf-8?B?d3VKSGlzaExXa0xjRWl5SUdKYzRSMUtLOHRwSzArclFuMllIdEt0dkZlZUd1?=\r\n =?utf-8?B?UElKMkVMRjZpSUxhblBvWWJQcnhyMjF3VUxkMUQ5d3pUNHpWd09jWVYycW00?=\r\n =?utf-8?B?elFFR2hJUkUvV3VYTno4UEVoVlpXb25zRWgrZnhzUmJYSi9kb3BvSFFxTjJv?=\r\n =?utf-8?B?OWtjYk5JSGh3aFA3Nk5aV0Vva0Q5elptbFZvN2tjVnhYNnNrYmQ0TjRtcGVF?=\r\n =?utf-8?B?Y29qSTJrS3FjcXV5WFZqaGIxWk5vQmVXSkRVdnZXUk84Q3YzazhkZlUvL0s2?=\r\n =?utf-8?B?ZnVnSHVFMWFMeVIzYlpZTlkyS29HaGJYUEorcHFkZ0wwT3pNcGhocHhsdTBQ?=\r\n =?utf-8?B?R2pqZzUzUkFWVlNSemo4cGlGUUc4Zjd4QzFMUFlTUHp6QTNhYVVvb1FuL0Zx?=\r\n =?utf-8?B?cXhRNXV6WEdnclVVM2hkVGJuRHBabHhNNGtFdkwvdm5uUTRSU1hMQ2o2S2tZ?=\r\n =?utf-8?B?bjFyK0d0U3BZdnBuN1oyYWcrdXIvMFFWOXNKWHFEcnpROENQT3RaZDR1Nncx?=\r\n =?utf-8?B?YkRkU05IZVcyME9mZ3l5UmtzU05ERE5BYm5keSthVXUzMlp5bmRlc0Uvd1dP?=\r\n =?utf-8?B?ZXN6MkNqTGJZWXVXdGs3WW1zaFpJMmEvR2Rvb3FNbWxnWW9nOWtLNUV5K0NZ?=\r\n =?utf-8?B?Q0VwM2toeDhkY1dWU0Exb2wxQkEwVUw1Qy9aK29zSlQyYzBrZktzamlZY3p1?=\r\n =?utf-8?B?dlZON1pQSlZkVDZhQW5PN1RhZi9BS2orbDRnUWJoKzMyVG1uT3pzNExscDdR?=\r\n =?utf-8?B?N3Y2dDVkNlBzdVVZTkUrdUtjOEtDQVBUUElReFNianRUUVVkRnI4b3MwT0Y4?=\r\n =?utf-8?B?LzF1ZFhYNnRpbkt4T3hwWVNEMU5HWitZMm5UMW1QSDdwUlZwTzZ2eDlXR2Fy?=\r\n =?utf-8?B?czFrSHpTUEgrTFo5ZW5DQTRkdzJLbTY3ZXFYeEo4K0ZoVGpkRThzbld0R29u?=\r\n =?utf-8?B?RmtZVEMrUHp3c203bG9memhsM2N2QkpyelFRUHR6dFprRUQzTEswSDRDSm5k?=\r\n =?utf-8?B?UXBGVk8xbTJNa1VucWZTcndKc1ZNRkxIbHdmazVySmwydzU4ODJjcUJrdzVQ?=\r\n =?utf-8?B?V2RWOEUvRFpuYldJRE1MSkY2ZlIvcW5ubkRPTkVsU1VRLzhjLzl1bVNIWkhI?=\r\n =?utf-8?B?bHRLYTBvV004cmZWNUdRZDlRNVdYVWx4ajBxZnlJODY0aWZ2QmFhcEhVcDZn?=\r\n =?utf-8?B?ak8wckVJSUVPaWVuNXRNNCtVbVA0UHJsMFFza0l1NnVqNThPc3dkY1U1MTgv?=\r\n =?utf-8?B?R3EzNnhFVGh2d3AzMFFaUmZhM0gvWHFBYW1MYW9rQUNwSEtNMWxyUWtyMEhI?=\r\n =?utf-8?B?U1Y4Sk1EWndlWlEvVHpOWmpQN1dkNWlROXJhZjZSVFJGRkVDTm9NUFVQcFdY?=\r\n =?utf-8?B?T0l1a3NBRFR3dnJkYUhFRmRIdDM3ZCtES2R2MlZoSndraHZMVXRLU0VONStM?=\r\n =?utf-8?B?Y3VsWENPZC82cDdvTFE1ZzBUV0ZUdEZtSytyRFV6T3dVOG0ra1NpQ1BOU0lD?=\r\n =?utf-8?B?SEc5cVR6QkVIM21ZUVEzWnNnajBsamNkUG84TG50MzNHRUxwQVFtUDQ2U05v?=\r\n =?utf-8?B?dkVRdGc1eFFjYUpWeFhOK0VFeHFQbWlDWmduZ3pjRDFVRnI0ZE4rME1DYWc0?=\r\n =?utf-8?B?TlNDZzJBczlMTFp5SDArYUtjakpHOFNrQ2ZJOVZjR1FNZmtyREJnVlRXdHhX?=\r\n =?utf-8?B?dTFMR1ZxZDJweEY1MTdzV25kbzRhYk8vWDdnMjc1NW1TSkN2U1dhL3BFeVNO?=\r\n =?utf-8?B?ODBqZThiK0RDTVJoVFp5U0hDaVlXMU94RWZhVWY4Nkh6SmF6RE1mSjZxcnBO?=\r\n =?utf-8?B?YXo2RjBJemxvN2FBekFjMDdmcm1XeUVQcnM0Nm5PR0h6TGhKNzR5Rm5HOWdo?=\r\n =?utf-8?B?ZVJNTmwzUjIwVmRQWWRmUlRqVGFaZENuT2dUTGR5cElvaitKSElUVHlrbGMy?=\r\n =?utf-8?B?Z1Q2ZXhUcVlHSjk2aTJYWlhQV29uU2dRZnpuSjVwWUdQM09qcHR0djFrQ1hL?=\r\n =?utf-8?B?T293Tzh2em53NjcxZjVCR3ViWDRHMlV1Qk1BQTRKZGE5dWJSY09UM0xKT2Ru?=\r\n =?utf-8?B?KytydExEeG11K2RVSXNnSDlCUCtCMlhpRk1TNDJ1ZEpCd3AvM1E9PQ==?=\r\nMIME-Version: 1.0\r\n<\/pre>\n
At first glance, everything looks like it was \"sent by Microsoft\", and the IP address is also assigned to Microsoft in the USA. In other words, the origin is in the Microsoft cosmos. But the sender could have set up a phishing account. The potential phishers have therefore proceeded quite trickily, and an inspection of the header with regard to the question \"does the mail come from outside the Microsoft infrastructure\" is in vain.<\/p>\n
It's probably SPAM – there are more hits<\/h3>\n
Because of the many inconsistencies I mentioned above, the mail fell into the SPAM category for me. I then did some more searching on the Internet and came across the following reddit.com thread<\/a> with the same topic.<\/p>\n
\"Purchase<\/p>\n
There, the thread starter and other commenters raise similar questions as above. It is a SPAM, scam or phishing attempt, but not badly done. In the thread, users also criticize Microsoft, saying that it is no longer possible to tell whether something like this is SPAM.<\/p>\n
Not SPAM? Let me sprinkle a pinch of uncertainty<\/h2>\n
In the reddit thread above, someone then refers to the Microsoft Q&A post Complete a purchase by January 17, 2025 to keep your account active<\/a> (titled \"AI Skills Fest\"), where this is also discussed. Here is the screenshot of the posted question, which is quite similar to my initial email.<\/p>\n
\"Microsoft<\/p>\n
I have extracted the text below – so that it can be found in search engines and linked to the blog post. Mind you, we're talking about an official Microsoft Q&A page here.<\/p>\n
Complete a purchase by January 17, 2025 to keep your account active<\/strong><\/p>\n
Nepsys Reputation points Nov 22, 2024, 7:10 PM<\/p>\n
Why am I getting email from Microsoft<\/p>\n
\"Complete a purchase by January 17, 2025 to keep your account active<\/p>\n
You are receiving this email because your associated Microsoft Entra ID tenant (tenant ID\u00a0removed<\/strong>) has been inactive for more than 200 days.<\/em>\u00a0Required action: To continue using your tenant, make a purchasebefore January 17, 2025<\/strong>. If you don't make a purchase before this date, your next purchase with Microsoft will require a new Microsoft Entra ID tenant to continue using Micrsrvices<\/em>\"<\/p>\n
I am using only outlook email which has almost 6 months till license renewal?<\/p><\/blockquote>\n
I was quite flattened by the answer – it came twice from a Microsoft moderator and an external moderator:<\/p>\n
Hello\u00a0Nepsys,<\/p>\n
Thanks for your question<\/p>\n
This indicates that your tenant has been inactive for 200 days.<\/p>\n
If you just use outlook, check if you require the Microsoft Entra ID tenant. If it's not essential for your current or future needs, you may choose to let it expire.<\/p>\n
If you want to keep the tenant active, consider making a purchase on the account for ur tenant<\/p>\n
Follow this link for more information on tenant inaccessibility due to inactivity.\u00a0https:\/\/learn.microsoft.com\/en-us\/entra\/fundamentals\/inaccessible-tenant<\/a><\/p>\n
You can mark it 'Accept Answer' and 'Upvote' if this helped you<\/strong><\/p>\n
Regards,<\/p>\n
Abiola<\/p><\/blockquote>\n
In a nutshell: The Microsoft moderators claim that the e-mail notification on behalf of Microsoft is legitimate and originates from Microsoft. What the fuck! Later I found this Microsoft Answers<\/a> thread with a similar case – where I posted a link to this blog post.<\/p>\n
I took another look at the URL that is resolved by the Safe Mail statement in the URL field of the browser.<\/p>\n
https:\/\/login.microsoftonline.com\/organizations\/oauth2\/v2.0\/authorize?\r\nredirect_uri=\r\nhttps%3A%2F%2Fportal.azure.com%2Fsignin%2Findex%2F&response_type=\r\ncode%20id_token&scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2F\r\nuser_impersonation%20openid%20email%20profile&state=\r\nOpenIdConnect.AuthenticationProperties%3D\r\nuxz6z5N_5Ixhg9N6BGUaMC3bGk2UKXtrL00guLosODZORYKXhxSQL3urwjUIOcZ\r\nqPYwWPOAJpk6na8kG23KXG0H50ONs2I0dkFR4Dpb3PgHVYLnAgf2a69keIc0QhHB\r\njYznmS8iD0kDD4oudMjSo0810C1CHxHqIAOoS__Iy9eRAncFBFmWYqDooGAq7ajd\r\ngV6FXIWzWL9NE0cTBBlVceJFBfQr0YgeqiIKnV2oX3K2RaQQCrT9tvNlyexWpy1\r\nGXTLFLFp_EkwDqHVqy7YJHNLGd_jnXLKBkp6DNkZJpBmfp05j4YDgaqWGUCYfDQ2\r\nE3AFB9O5A0OO_c5bBdE2vjFzyJQl1u2pGvKExReDGdIsYKl9Oa27RDV5sONadoTaK\r\nh6CvCnBIs_V3NdADIAAL3JOqkRqfqPVWwraSmamGim02mKosJyJN3XBKFnm7Lm7z_Ca\r\n09oIleggW48zbqwwROR82XQhXe9ZMGxPTM0YCEXAY&response_mode=\r\nform_post&nonce=638838932065190836.OWYyMjQzZWEtNGU1Yy00Nzc1LWI3Zm\r\nQtYjk2MTQwZmM3YWIzZjk5Yjg2N2QtMTkyZi00OTlkLThjMjUtMWMzMDhlYzJlZTNm&\r\nclient_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c&site_id=501430&\r\nclient-request-id=21b8db4f-7fca-4c1e-97a7-07a85651f29c&\r\nx-client-SKU=ID_NET472&x-client-ver=8.3.0.0&sso_reload=true<\/pre>\n
The domain microsoftonline.com<\/em> geh\u00f6rt belongs to Microsoft, as do the portal.azure.com<\/em> and windows.net<\/em>. What is going on in the parameters is not clear to me ad-hoc (apart from the fact that a form is to be displayed for registration). Who comes up with something like this?<\/p>\n
Final thoughts<\/h2>\n
I have broken down the simple email in the post above, but at this point I am not sure whether it is not something legitimate from Microsoft. Maybe I've missed something and a blog reader can shed some light on it.<\/p>\n
But this case leads me to the question: \"How broken is the Microsoft eco-system?\" when I, as a somewhat advanced recipient of such an email, can no longer recognize whether it might be something legitimate after all. This stuff has become so complex that a normal user has hardly any chance of judging whether an email is SPAM or really comes from the alleged sender.<\/p>\n
Addendum: It's from Microsoft – WTF!<\/h2>\n
After publishing the German edition of this blog post, reader Mom20xx left this comment<\/a> (thanks) and told me, to check the tenant ID at Tenant ID Lookup<\/a>. Then \"things got really stinky\" – here is the result of the test:<\/p>\n
\"Tenant<\/p>\n
It is my outlook.de test account that is specified. However, this is now somehow assigned to an onmicrosoft.com tenant. So the mail comes from Microsoft and the sender knows the tenant ID. This leads me to the following statements:<\/p>\n