Most people know the basics of spotting scam emails: fake sender addresses, misspelled domains, suspicious links, or obvious grammar mistakes.
This scam has none of those.
Over the past several weeks, Microsoft users have reported receiving scam emails that come from a legitimate Microsoft address and are delivered through Microsoft’s own systems. The emails pass all standard security checks and often land directly in inboxes — not because something broke, but because everything is working as designed.
Understanding how this scam works is the key to avoiding it.
What’s Really Happening
The emails are sent from:
no-reply-powerbi@microsoft.com
This is a genuine Microsoft address used by Power BI to notify users when reports or dashboards are shared with them. In many organizations, this sender is trusted and even allow-listed to ensure important notifications aren’t missed.
Scammers are exploiting that trust.
They aren’t spoofing Microsoft and they haven’t hacked Microsoft’s email servers. Instead, they’re abusing legitimate Power BI features to send attacker-controlled messages through a trusted Microsoft channel.
How the Scam Emails Are Sent
Power BI automatically sends email notifications when content is shared. Attackers take advantage of this process:
- They create or gain access to a Microsoft Power BI account
- They create a report, dashboard, or workspace
- They share it with external email addresses
- They customize the optional message field with scam content
- Microsoft sends the notification email automatically
Because the email is a real Power BI notification:
- It comes from a real Microsoft address
- It passes SPF, DKIM, and DMARC authentication
- It’s sent through Microsoft infrastructure
- It looks legitimate to both users and mail servers
From a technical standpoint, the email is valid — even though the intent behind it is malicious.
What the Emails Usually Say
Instead of a normal “You’ve been invited to view a report” message, these emails typically claim:
- An unauthorized Microsoft charge
- A subscription renewal the recipient doesn’t recognize
- A billing problem that requires immediate action
The message almost always urges the recipient to call a phone number.
That phone call is the real goal.
Once the victim calls, the scam moves away from email and into direct social engineering. The attacker poses as Microsoft support and pressures the victim to install remote access software or share sensitive information.
Why This Scam Is So Hard to Detect
Traditional email security tools look for things like:
- Fake sender domains
- Malicious links or attachments
- Failed authentication checks
This scam avoids all of that:
- The sender is legitimate
- Authentication passes
- There may be no links or attachments at all
- The malicious element is the message intent, not the structure
This makes it an abuse-of-platform attack, not a traditional phishing campaign.
In fact, allow-listing Microsoft sender addresses can make the problem worse by letting these messages bypass additional inspection entirely.
Can Microsoft Identify the Scammers?
Yes.
Because these emails are sent through Microsoft services, Microsoft can see:
- Which tenant created the Power BI resource
- Which account initiated the share
- The message content
- Sending patterns and recipient lists
This activity is logged and attributable. However, it isn’t a breach. The accounts often appear legitimate until abuse is reported or suspicious behavior becomes clear. As a result, enforcement usually happens after the first wave of emails is delivered.
This is a common challenge for trusted platforms that allow user-generated sharing, such as document sharing, calendar invites, and cloud notifications.
How Microsoft Responds
Once abuse is identified or reported, Microsoft can:
- Suspend or terminate the Power BI account
- Disable the tenant entirely
- Block further outbound notifications
- Require additional verification
Microsoft can’t simply block all Power BI notification emails without disrupting legitimate business workflows. That’s why detection relies on reporting and behavioral analysis rather than blanket prevention.
How to Spot These Emails
Even when an email comes from a trusted sender, be cautious if it includes:
- Unexpected billing or payment claims
- Urgent or threatening language
- Requests to call a phone number
- Instructions that bypass official account portals
Microsoft does not resolve billing issues through unsolicited phone calls prompted by email.
What Users Should Do
If you receive one of these messages:
- Do not call the phone number
- Do not install software at someone else’s request
- Log in to your Microsoft account using a trusted, bookmarked URL
- Check billing information directly inside the official dashboard
- Report the email as phishing
For administrators, avoid unconditional allow-listing of vendor addresses without content and behavior-based monitoring.
The Bigger Takeaway
This scam highlights an important reality of modern email security:
A real sender does not guarantee a safe message.
Email authentication only confirms where a message came from — not whether it should be trusted. As attackers increasingly abuse legitimate platforms, effective security depends on a mix of technical controls, contextual analysis, and informed users.
Email remains a trusted communication channel. Keeping it that way requires understanding not just how emails are sent, but how that trust can be misused.
