User receiving calendar invites “from Microsoft”: Microsoft Billing <activation.team@team.microsoft.com> (but from a garbage address, on behalf of)
Posted by annatarlg@reddit | sysadmin | View on Reddit | 55 comments
User got the calendar invite that looks like it’s from MS, but it’s only on behalf of this odd, but seeming real MS account. The email that sent it on behalf of ms is one anyone would immediately delete, but you only see that in the email calendar invite, not the calendar appt itself. It’s now the 3rd or 4th this user has gotten.
Anyone seen this? Can’t post pictures so:
Important: Schedule Meeting to Activate Your Microsoft 365 Subscription
Location Microsoft Subscriptions Portal Respond • Microsoft Billing activation.team@team.microsoft.com Wednesday, May 14, 2025 5:00 AM-5:00 AM
Alarmed_Contract4418@reddit
We've just had a client report getting calendar invites from "support @ administrator.microsoft.com". No way that's legit.
----Questions----@reddit
Anyone find an actionable resolution to this? One of my clients got hit with these spammy calendar invites today too and I cant seem to find any specific solution other than blocking the email / domain of the spam senders.
annatarlg@reddit (OP)
Nope, nothing I've seen. It's definetly spoofed, the "name" is an MS email, but the email address you see in trace, etc, is junk.
Zydeco22@reddit
nothing has worked- i've added the sender(s) to my junk mail and blocked them, but they just use different emails the next time. i've declined the invites without responding, but the calendar invites just pop right back up! My only option is to block ALL exchange notifications from my calendar, which is not really feasible. HELP!!!
Alive_Regret_8137@reddit
Is there a way I can remove the calendar events from my users? They delete them but the event just appears again.
pewpewlife34@reddit
Did you ever find out a solution to this? Still happening for our users as well. Events keep appearing after being deleted.
Proof-Variation7005@reddit
decline without sending a response
Zydeco22@reddit
did this, but the invite just pops right back up.
Alive_Regret_8137@reddit
Unfortunately no.
Proof-Variation7005@reddit
decline without sending a response
jerrytown9@reddit
This worked for me. Tick the box next to the email in Outlook. Click "Report phishing."
This moved the email to the "Deleted Items" directory and removed the invite from my calendar. I'm just hoping this did not inform the scammer that I interacted with their email.
s18roc@reddit
Yes. Resolved it. Search your emails for the sender. Then block them and mark as junk and it will disappear
UninvestedCuriosity@reddit
I had to switch to dkim strict to stop from manipulation like that.
annatarlg@reddit (OP)
ours already was
v=DMARC1; p=reject;
UninvestedCuriosity@reddit
I'm not entirely clear if this will help further as it's all about the FROM in the case I was trying to solve that felt similar to this.
adkims=s;
Defines the strictness in alignment to dkim where the default is usually relaxed. I'm not even entirely clear if it will help in this situation or preaching but it might help.
It's also pretty disruptive if you're not already authenticating things like notifications to a real account. So ya know, careful in production if you do decide to try it.
reject defines the action to take on emails that fail DMARC authentication but if the dmarc is relaxed, it may not be failing.
adkim=s; Defines the strictness of alignment for DKIM checks and relates more to the FROM address. I think!?
Federal-ITWarrior77@reddit
not sure how defining your own Domain's DKIM "strictness" on emails that get sent from your domain will help with blocking rogue calendar invites that DON'T come from your domain. Besides having users "report as phishing", and disable "automatically process calendar invites", it's sad that there is not solution still and it's still happening...
UninvestedCuriosity@reddit
Yeah, I sympathise, I think sometimes hardening some aspects sort of infers other things on the backends of some of these systems. The black box things that may or may not exist but on its face you're right it's not targeting the right thing.
I guess additional 3rd party gated greylisting would be an ugly next step that uses procured lists. It's just not like a necessarily cheap or easy approach either. You set it up yourself and then you're maintaining another thing. You cloud it out and then you're paying another thing and EVEN that might not work in this situation.
annatarlg@reddit (OP)
Yeah the “it’s really for sending” part has been why I wasn’t sure why it mattered as much as some of the comments made it out to be. But I haven’t looked closely at the other syntax controls on it. I’ll check that one out.
Emergency_Surprise_3@reddit
One of our customers received the Microsoft payment failure too. Item was in the calendar but the organizer was mas-92138@billing.onmicrosoft.com
I checked the mail item for footers but none listed. Problem is the customer got caught, they were asked to re-enter their credit card details for the payment to succeed.
Just-Carpenter-6785@reddit
Pareil ici, j'ai tout de suite pensé a du scam malgré le domaine Microsoft.
Microsoft indique que l'équipe de compte ne communique qu'avec le domaine "accoutprotection.microsoft.com" et non pas "account.microsoft.com".
Puis-je faire confiance aux e-mails provenant de l’équipe des comptes Microsoft ? - Support Microsoft
J'ai ajouté le domaine en liste rouge via une stratégie.
s18roc@reddit
Please post if you get a solution
annatarlg@reddit (OP)
I don’t think I have one. From what I can tell our records are fine.
I guess I could change our business standard threat stuff to be a little more hardened. We’re not yet paying for business premium that has additional options.
secpfgjv40@reddit
Seen these but only with the actual sender being from a very obvious third party phishing domain, not actually Microsoft.
annatarlg@reddit (OP)
Ours said that, but was "on behalf of" what seemed real.
spezisbastardman@reddit
I've been seeing these as well now, though not from as legitimate domains as you've been seeing. Ours will be some really obvious domain on behalf of email.msonmicrosoft.com and omnimicrosoft.com so far
Strange_Instance7912@reddit
Our entire organization received this over the weekend. Although the invite was directed to the junk folder, it still appears in everyone's calendar.
valacious@reddit
yeah i wanna know how it can add itself to the calendar with absolutely no end user touching it.
thortgot@reddit
Can you post sanitized headers?
annatarlg@reddit (OP)
I wish, I pulled it from recover deleted items and it's empty.
But our AV keeps disliking me opening it because of the attachement, so maybe it's messing with that.
rootkode@reddit
I wonder if SPF/DKIM records aren’t set up properly (either your end or Microsoft’s side (but im leaning on your end for not verifying that only Microsoft.com can send microsoft.com domain emails))
annatarlg@reddit (OP)
not sure it matters:
made it:
v=DMARC1; p=reject; sp=reject;
was:
v=DMARC1; p=reject;
annatarlg@reddit (OP)
It's on p=reject, though sp= is not in there, so that might be it.
timmerdanny@reddit
We received it this morning as well. The headers show that the message originated from ssl.aceh4dlast.boats (SPF-pass). The message was sent on behalf of Microsoft Billing. The reply address points to renewal-crew@hotmail.com
Acceptable_Mess_465@reddit
Ive received several of these as well (same sender and reply address as above). I think that BECAUSE its an invite Microsoft lets them get past the normal SPF / DKIM checks. The messages are using 'ARC' (Authenticated Received Chain) or maybe Microsoft is applying their own ARC seal to ensure the invites arent blocked. - Look for arc=pass / oda=1 / compauth=pass reason=130 in headers. MS Article here has pretty pictures showing how ARC was designed to let 'legit' emails bypass SPF / DKIM > https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure
Note: Adding the 'aceh4dlast.boats' domain to the tenant blocked domain list hasnt stopped them.
annatarlg@reddit (OP)
I can't seem to see the header anymore either. Our scanners might have started eating it because of the attachment.
ReverendAgnostic@reddit
Same. I've seen this exact thing in multiple tenants.
malikto44@reddit
Wonder if someone with access to that address got compromised.
annatarlg@reddit (OP)
I feel like it must be. Which is more likely, a spoofed MS address or a compromised MS address?
green_cars@reddit
can you check if the domain is actually microsoft? there was a thing a while ago where they replaced a regular latin “a” with a cyrillic “а” and they look exactly the same, but resolve differently. not sure which letter would be the culprit in microsoft but could be worth checking.
(if you’re wondering how to check but dunno how, there’s websites that convert unicode to their codes where you copy paste in the email and then also type it in by hand and see if any of the letter codes are different)
_anshar_@reddit
it’s called punycode, you just need to check the certificate to spot it, certificates can be issued only to domains with latin letters so punycode domains gets translated to a string such as xn—80……….
annatarlg@reddit (OP)
It won't let me see the email address anymore. It also has an html attachement that I don't want to internact with the email/appt too much.
PaulTendrils@reddit
A customer advised today they've started receiving these, for the last 3 days (Sun-Tue 18-20/05/2025) So far, I've identified 3 domains and added a rule to delete any emails where the sender address includes them, but it'll be a game of cat & mouse, of course.
All of the sender domains are in the format of
emailXXXXX.ssl.aceh*.arts/boats/shop Where XXXX appears randomly generated.
The domains I've identified are:
aceh4dlast.boats
acehbola.shop
acehsportlive.art
ttownerZL1@reddit
Did you add these domains in the "Tenant Allow/Block Lists"? Or when you say created a rule, where did you do this?
PaulTendrils@reddit
In Exchange - Mail Flow - Rules. I'm not convinced domain block lists are particularly effective.
https://imgur.com/a/JIAkIgc
There hasn't been any executions on that rule, though, so it appears the gate is closed after the horse has bolted.
gstechs@reddit
I received a calendar invite today too. Here’s who sent it.
Microsoft Billing Portal subscription.424116485711@emailGE 040.ssl.aceh4dlast.boats On behalf of Microsoft Billing Portal
And there’s a screenshot of the calendar invite.
Since it was sent as a calendar entry, it auto deleted the emailed invite, so it’s harder to tell it didn’t actually come from MS.
mageta621@reddit
Had something similar come into our office nominally regarding Microsoft 365 billing. Seemed illegitimate to me and our 3rd party tech company said they handle renewing our 365 license subscriptions so this was almost certainly fake.
Our emails were coming from yaddayadda*@billing.microsoft.com
*not the real thing but I already deleted it and this portion probably doesn't matter
jaskij@reddit
OTOH, just this weekend I got a legit email "Microsoft on behalf of". Was making an account on a website, and they sent the activation code via email that was sent like this.
If someone's managing electrical engineering, it was from NXP.com
Murky-Prof@reddit
Switch from teams to slack
charleswj@reddit
But OP wants a solution to the problem
tcsnxs@reddit
Yeah, that's some odd manipulation. DKIM maybe?
Hefty-Room-297@reddit
Check your SPF records/rules. My dumbass Exchange admin was allowing SPF fails to hit our domain. Since fixing this, haven't seen a single one.
annatarlg@reddit (OP)
Definitely been on -all
Ell1otA1derson@reddit
What about the behaviour of email sending domains?
redwiresystems@reddit
Something similar was happening from random tenancies from invites@microsoft.com as a send on behalf which were inviting users to install enterprise apps that didn’t need admin rights and were just an app that linked them to a phishing site, it got mentioned here and I personally saw independent examples over hundreds of tenants.
That invite system is legit which makes it hard to block based on anything other then content - I would guess this is an iteration on that method with the attackers just using whatever legit microsoft system they can customise emails from until they harden it.
ScHwAnG_ScHwInG@reddit
We started seeing these a few weeks back, was getting at least one a day into mailboxes at our MSP tenant.
A few customers have seen them also. New spam technique?