Potential Communications

Promoting the Christian message over the internet

Microsoft 365 Renewal Scam

Receiving an email from Microsoft confirming that you that a subscription for Microsoft 365 has been automatically renewed at a significant expense will be concerning if you have in fact never subscribed to the software. All though is not what it seems, Microsoft have not contacted you, no money has been taken out of your bank account, it is just a fairly elaborate scam to obtain your banking details.

Let's look at the email and see the significant points that show it is a scam.

E-Mail received:

Date: 19/12/2024, 04:11

From: Order Confirmation via Adobe Acrobat Sign adobesign@adobesign.com

To: pablo7@kettysuits22.onmicrosoft.com pablo7@kettysuits22.onmicrosoft.com

Reply to: Order Confirmation updatesteams@yopmail.com

Subject: Order Confirmation has copied you on [ auto-generated receipt ].

microsoft 365 renewal scam

Notes: The email comes from an official adobe email address (adobesign@adobedesign.com) and it appears to have been sent to a microsoft365 email address (pablo7@kettysuits22.onmicrosoft.com). We will have received the email as our address will have been entered in a distribution list for the pablo7@kettysuits22.onmicrosoft.com group email address.

https://learn.microsoft.com/en-us/microsoft-365/admin/setup/create-distribution-lists?view=o365-worldwide

Examination of the linked page from the click here to view this document link towards the bottom of the email...

https://eu1.documents.adobe.com/public/agreements/view/CBJCHBCAABAAI4Pyim3Bw7LuOyjnLqcG3
CM8mjxRGaZF?type=megasign_parent&tsid=CBFCIBAACBSCTBABDUAAABACAABAAykS9zEK-H2
BkhteG65CLN-zP7ZAQ-HM5Kc7ySIBVKeS5HLfZDzVgwpWhpF0bF195RHmEt96wLK2IDW_Jm8RwcCplp
KCC57QUfKDGYsfZ3Ek7KcUqCibF8vImlafqwWIu

Shows that the prepared document was sent to the following group email addresses, probably because there is a maximum number of email addresses that can be added to a microsoft365 group

pablo7@kettysuits22.onmicrosoft.com, pablo9@kettysuits22.onmicrosoft.com, pablo1@kettysuits22.onmicrosoft.com, pablo6@kettysuits22.onmicrosoft.com, pablo10@kettysuits22.onmicrosoft.com, pablo5@kettysuits22.onmicrosoft.com, pablo8@kettysuits22.onmicrosoft.com, pablo2@kettysuits22.onmicrosoft.com, pablo3@kettysuits22.onmicrosoft.com, pablo4@kettysuits22.onmicrosoft.com

Pablo is of course the Spanish form of the name Paul so this might suggest that the scam originated in a Spanish speaking country.

Recipients are given a Reply to: email address: Order Confirmation updatesteams@yopmail.com. Yopmail describes itself as "Disposable Email Address - Temporary and anonymous inbox". This will have been added into the distribution list as the Reply to address (as if anyone replied to the pablo7@kettysuits22.onmicrosoft.com their response would be sent to each email address on the distribution list which would not be good for the scammers).

One feature of such services is that they can be used without any registration or use of passwords, consequently anyone who knows the e-mail address can view the contents of the inbox. When I visited the inbox, there were over 80 replies, some clearly were abusive emails from recipients who knew that the people contacting them were scammers but the largest proportion were people who saw the emails as genuine and were contacting who they thought were microsoft asking for their subscriptions to be cancelled and their money returned even though no money would have been taken out of their accounts.

The scammers then knew who to contact to "process their refunds" either using the yopmail reply function or using another free email provider (probably Gmail). Such "processing" would involve money being tricked out of the recipients bank accounts.

Two final thoughts about this scam:

Firstly if you had purchased a subscription to Microsoft 365 you would have received an individual name and addressed invoice/order confirmation. There may be hundreds of people "purchasing a software subscription" at the same price but they can't all have the same invoice. They would have to create separate invoices maybe for the same amount but with the different purchaser details and transaction and/or invoice number.

Secondly Microsoft would not use Adobe Sign to create the invoice, note the created invoice viewable either by clicking the link mentioned or viewing the attachment has an identical set of details twice for Microsoft's address. In a genuine invoice one address would show the seller's details and the other the purchaser's details.

I was wary of opening the attachment so I downloaded and converted without opening to a .jpg using zamzar.com to minimise effects of possible malware.

microsoft 365 scam invoice

 

 

Michael Fowler

 

 

Other articles by Michael Fowler:

HMRC Scam Email - Michael Fowler
A very poor scam attempt from scammers pretending to be from HMRC (His Majesty's Revenue and Customs) ie the UK Tax authorities... more >>

Link Request Spam - Michael Fowler
From time to time we receive Link Request Spam (also known as Back Link Requests) where someone contacts us by e-mail or website contact form and asks us, often weaving a complete fairy story, to link to a particular website... more >>

Royal Mail Delivery Scam - Michael Fowler
Now if you are expecting a delivery by Royal Mail you might easily fall victim to this e-mail which has not come from Royal Mail. If you click on the link and make the small requested payment you will have provided all your bank details to the scammers who will come back and empty your account... more >>

Meta Policy Violation Scam - Michael Fowler
Considering the organisation being contacted does not use Meta advertising this is obviously a scam, most probably a phishing attempt to obtain login details such as username and password... more >>