The email looked exactly like every other Microsoft account verification message: blue header bar, one-time code in bold, Privacy and Legal links in the footer, Microsoft logo in the corner. SPF passed. DKIM passed. DMARC passed under a p=reject policy. Composite authentication scored a perfect 100.
But tucked into the closing block, right after "Sincerely," sat a line that had no business in a Microsoft notification: "You have 1 new private message open now funnow.xyz verify access account email verification code."
That single injected line turned a legitimate Microsoft transactional email into a phishing delivery vehicle, and every authentication check gave it a green light.
This was not a spoofed email. Microsoft's own infrastructure generated and delivered it. The attacker registered a throwaway tenant account (@EiffelLogic[.]onmicrosoft[.]com) and stuffed phishing lure text into one of the account profile fields that Microsoft echoes into verification templates. When the verification flow triggered, Microsoft's notification system rendered the attacker-controlled text directly into the email body.
The result: a pixel-perfect Microsoft verification email, delivered from msonlineservicesteam@microsoftonline[.]com through substrate[.]office[.]com and Microsoft's protection infrastructure, with the phishing lure baked into the template output. Every visual element, from the blue header to the SafeLinks-wrapped footer URLs, was genuine. The only anomaly was the injected text block referencing funnow[.]xyz.
This technique mirrors stored injection patterns familiar from web application security. The attacker does not need to compromise Microsoft. They only need to find a profile field that gets reflected into an outbound notification without sanitization.
The authentication results tell the story of a delivery pipeline that worked exactly as designed, for the wrong reasons.
pass for client IP 2a01:111:f403:c107::1, designated by microsoftonline[.]compass with d=microsoftonline[.]compass with p=reject, header.from=microsoftonline[.]com100 (perfect composite score)The message also carried ARC seals, but the chain showed cv=fail at i=2. This failure indicates intermediate modification during transit, likely SafeLinks URL rewriting by Outlook protection gateways. The ARC break is a side effect of legitimate security processing, not attacker tampering, and it did not degrade the underlying SPF/DKIM/DMARC results.
For any gateway relying on sender reputation and email authentication protocols to make delivery decisions, this email was indistinguishable from a real Microsoft notification. Because it was one.
The injected text directed recipients toward funnow[.]xyz, a newly registered, low-reputation domain with no established trust signals. WHOIS data showed GoDaddy registration, privacy-shielded ownership, unsigned DNSSEC, and a single-year registration window. Every indicator pointed to a disposable domain stood up for this campaign.
Critically, funnow[.]xyz was not embedded as a clickable link. It appeared as plain text in the email body, which means URL scanning, SafeLinks rewriting, and post-delivery link analysis had nothing to intercept. The attacker relied on the recipient manually navigating to the domain, a social engineering technique that sidesteps every automated link inspection control in the delivery pipeline.
The legitimate links in the email, Microsoft privacy statements and service agreements wrapped in SafeLinks, all resolved to real Microsoft pages. Scanning metadata confirmed them as clean. This created a trust gradient: the email contained only verified Microsoft URLs and a single suspicious domain reference buried in the signature block.
See Your Risk: Calculate how many threats your SEG is missing
Automated analysis assigned this email a 50% phishing confidence score. That is a hedge, not a verdict. The authentication signals were too clean, and the email structure too close to a legitimate Microsoft template, for behavioral models to render a high-confidence classification.
What tipped the balance was community threat intelligence. Security professionals across the IRONSCALES network flagged the pattern: legitimate Microsoft delivery infrastructure carrying injected content referencing an unrelated external domain. The community classified it as a vendor email compromise (VEC) variant, recognizing the technique for what it was, even though the technical indicators alone did not cross automated thresholds. That classification propagated across the network, protecting other organizations before the email could reach additional mailboxes.
This case illustrates a structural limitation of authentication-dependent detection. SPF, DKIM, and DMARC answer one question: "Did this domain's infrastructure send this message?" They do not answer: "Should this message exist?" When attackers co-opt the infrastructure itself, authentication becomes an ally rather than a barrier. The 2024 Microsoft Digital Defense Report documents the growing volume of attacks leveraging trusted cloud infrastructure, and this case is a textbook example.
Treat authentication as necessary but not sufficient. A perfect DMARC score from microsoftonline.com does not mean the content is safe. Detection models need to evaluate body content against sender template norms, not just header authenticity. The Verizon 2024 DBIR found that 68% of breaches involved a human element. Infrastructure abuse attacks target that element by wrapping social engineering in authenticated packaging.
Monitor for injection patterns in platform notifications. Verification emails, password resets, and account alerts from SaaS platforms are high-trust message types. Attackers increasingly abuse profile fields that reflect into these templates. Build detection logic around content anomalies within known notification formats, specifically text that references external domains not associated with the sending platform.
Prioritize community and behavioral signals over reputation scores. This email arrived from Microsoft's own IP space with a perfect composite authentication score. Reputation-based filtering had no basis to intervene. The detection signal came from behavioral analysis (first-time sender pattern, content-subject mismatch) and community intelligence (other organizations reporting the same injection technique). Organizations relying solely on gateway-level filtering would have delivered this to the inbox without question.
Audit ARC chain handling. The cv=fail at i=2 in this case was benign, caused by SafeLinks rewriting. But ARC failures in other contexts can indicate message tampering. Security teams should understand how their mail flow gateways handle ARC validation failures, according to CISA phishing guidance, and ensure that broken ARC chains trigger review rather than silent delivery.
Block or flag newly registered domains referenced in email bodies. Even when a domain is not a clickable link, its presence in a transactional notification is anomalous. Content inspection rules that flag references to domains registered within the last 30 days, with .xyz, .top, or other high-abuse TLDs, would have caught this lure text. The FBI IC3 2024 Internet Crime Report documented $2.9 billion in BEC losses, many initiated through exactly this kind of infrastructure abuse.
| Type | Indicator | Context |
|---|---|---|
| Domain | funnow[.]xyz | Injected lure domain, newly registered, GoDaddy, privacy-shielded |
msonlineservicesteam@microsoftonline[.]com | Legitimate Microsoft sender (abused) | |
@EiffelLogic[.]onmicrosoft[.]com | Attacker-controlled throwaway tenant | |
| IP | 2a01:0111:f403:c107::0001 | Microsoft sending infrastructure (legitimate) |
| Auth | SPF pass, DKIM pass, DMARC pass (p=reject), CompAuth=100 | Full authentication pass |
| ARC | cv=fail at i=2 | Intermediate gateway modification (SafeLinks rewriting) |
MITRE ATT&CK: Phishing: Spearphishing via Service (T1566.003) | Establish Accounts: Email Accounts (T1585.002)