I'm finding increasingly that spammers are using two of Microsoft's
internet domain names to host fraudulent screenshots of web sites
that users often trust to login to webmail, which is then later
followed up by failed attempts from other systems (sometimes, and
after what I assume are random waiting periods) to login to our
mail servers using wrong passwords I specifically fed to it.

The two hostanmes in particular, are:

1. *.safelink.emails.azure.net
2. *.powerappsportals.com

The first name is used for redirection to the second one (the
asterisk indicates a unique string of characters), and both
always have CGI parameters as well, which include more unique
strings of characters in some of the CGI parameter values.

The second name hosts the actual screenshot of the home page of
the system that the spammer is attempting to trick users into
logging in to, with no functional links except for the pop-up
dialogue that prompts the user for their eMail address (which is
pre-filled) and their password.

I am setting up policies on all of our mail systems to reject
all eMails that contain either of the above patterns so as to
protect our users and to protect our intellectual property (we
did not grant permission to powerapps.com to use our web site
design or company name-and-logo). Contacting Microsoft about
this matter has been fruitless as they do not bother to answer
their phones.

Some of our users have reported receiving hundreds of those
links over the course of weeks, so we consider this to be a
high-volume hacking operation. If you have received those
types of messages on your systems, you may want to investigate
taking appropriate action to report and/or reject that spam.

--
Randolf Richardson 張文道, CNA - [email protected]
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)