Microsoft CoPilot billing scam

SomewhereinSC · 2024-12-16T18:14:26.326Z

So this is more of a PSA then discussion because as an IT person I went down this scam rabbit hole a few feet before realizing it was a scam. So I figured I’d post here and reddit as a public service.

MS-scam1283×866 35.6 KB

So I received an email this morning (see picture) about a CoPilot purchase for $360.00, and it just so happens we have been blocking AI recently until we have an AI policy in place. So seeing this made me go “huh?, no one should have access to purchase on the tenant (except me)”

I jump onto my tenants admin.microsoft.com portal and click every clickable item but cannot find any reference to an order in the email.

So I go back to email and dial the 888 number. The (now I know scammer) person answers the phone and asks my name and then as I begin to explain the charge the person asks for the last 6 of the order ID (ID redacted for my own reasons). He then asks me to open a browser (ok I’m thinking he is going to lead me through admin.microsoft.com to find charge) and go to mrhelp.top. I ask him to repeat the web site again and he spells it our M R H E L P . T O P, at this point I hang up. SCAM alert goes off in my brain

So after looking at the scam email a lot closer I now see the the TO address is microsoft-reply@billsm365.onmicrosoft.com, so the scammer created an MS tenant (billsm365) in order to legitimize the scam.

Two lessons learned right away, look closer even after feeling like you looked close enough if you have a questionable email. Also Microsoft would never send using onmicrosoft.com domain, I should have spotted that first.

Well played scammer, I only wish Jason Statham character in The Beekeeper movie were real and could add you to the list.

Rod-IT · 2024-12-16T18:46:24.484Z

SomewhereinSC:

So after looking at the scam email a lot closer I now see the sender is microsoft-reply@billsm365.

I saw this before I read your post.

But you may not have looked close enough, as that’s not the sender, it’s the TO address.

Thanks for the heads-up though, it validates we’re all human and that scammers are trying to get around us by using sites we likely do use, legitimately.

OscarOneEye · 2024-12-16T19:44:32.279Z

SomewhereinSC:

I only wish Jason Statham character in The Beekeeper movie were real and could add you to the list.

You can be the beekeeper, and and SW can be your hive. Protect us!

spiceuser-8i1a · 2024-12-17T09:35:12.840Z

damn… social engineering’s been evolving crazy
do you use outlook plugin for scams (eg. criminal ip) or any email protection?

SomewhereinSC · 2024-12-17T12:25:42.804Z

Mimecast is in use but this was a 1 off email so it did not catch it. Though I’ve since created a HOLD rule for any onmicrosoft.com emails.