Microsoft Email To Windows Users Includes A ‘Nasty Surprise’

Delete this email immediately.
Microsoft Windows users are being urged to watch out for “a genuine Microsoft email with a nasty surprise inside,” as a new wave of attacks is launched at PC owners. This type of attack has already hit Google’s Gmail users and is now expanding. If you see one of these emails, you must delete it immediately.
The warning comes courtesy of the research team at Kaspersky, which has discovered “a hybrid email-and-phone scam in which attackers send emails from a genuine Microsoft email address.” This works by hijacking genuine Microsoft purchase notifications, inserting custom text, and then forwarding to potential victims at scale.
If you receive the email, which will come from “[email protected],” it will thank you for a recent purchase that you will not recognize. It’s likely to target you at work, panicking you that there’s a large, unauthorized expense you need to handle.
“One more time, just so we’re clear,” Kaspersky says, “this is an honest-to-goodness email from Microsoft. The contents match a typical purchase confirmation. In the screenshot below, the company thanks the recipient for buying 55 Microsoft 365 Apps for Business subscriptions worth a total of $587.95.”
Microsoft email includes a ‘nasty surprise’
The attackers replace the usual billing information within the original Microsoft email with their own phone number that a recipient can call for assistance — just what you will likely do when hit with a huge, unexpected bill. There is no email alternative, “the victim is left with little choice but to call the phone number provided.”
If you do call the number, you’re likely to be asked to install some software to investigate and then resolve the issue. That download will be malware and will lead to all kinds of much more serious problems than a surprise $600 bill. According to user reports, the call handler may also ask you to log into your online back to facilitate a refund. This simply provides account details and credentials to the attacker.
Kaspersky says the method deployed by the attackers to hijack a Microsoft email address “is still something of a mystery,” but could be “stolen credentials or trial versions to access Microsoft 365. By using BCC or simply entering the victim’s email address when purchasing a subscription, they can send [the] messages… Whichever is true, the attackers’ goal is to replace the billing information — the only part of the Microsoft notification they can alter — with their own phone number.”
This almost exactly replicates the well-publicized fake Google emails doing the rounds from their own “no-reply” email address. The Google advice was that they would never reach out with an account issue. This is smarter, a purchase email from a genuine address. But it’s the same pattern — tricking users into calling scammers. Most such scams are tech support lures, which Guardio warns have already surged 137% in 2025.
However, just as with Google, don’t call the number provided and use standard, publicly available channels instead of you want to contact the company. If you don’t recognize the transaction and there is no record in your account, then delete it right away.