Is 'account-security-noreply@accountprotection.microsoft.com' a legitimate sender of security alerts?

Question

I have been getting emails from "account-security-noreply@accountprotection.microsoft.com" (as verified in metadata) about unusual activity. The internet has very conflicting information about if these emails are legitimate or not. Microsoft's own website says this is their legitimate sender address for account activity alerts.

A legitimate email message should originate from the Microsoft account team at account-security-noreply@accountprotection.microsoft.com.

But here, the Georgia College help desk lists this exact email, from that exact sender address, as a phishing attempt.

Many people at GC are receiving one of the more popular phishing scam emails. It appears to be from Microsoft, a “Security Alert” wanting you to revalidate your account. Know that this is not from Microsoft. It’s a very elaborate phish. Do not click on any link in this email. Please delete it. If you did click on the email, please reset you Unify password (and subsequent email password) at password.gcsu.edu.

­­­­­­­­­­­­­­­­­­­­­­­­From: Microsoft account team account-security-noreply@accountprotection.microsoft.com

Sent: Monday, April 3, 2017 3:36 AM

Subject: Microsoft account security alert

Other places online have similarly conflicting info. Some places list these emails as scams, but the example screenshot has a different sender address that is missing the "microsoft.com" from the domain, which looks more fake.

So which is it? Are those emails from exactly "account-security-noreply@accountprotection.microsoft.com" fake, or not?

Answer 1

You can not trust that a sender address is correct. They are trivially easy to fake.

The SMTP (email) protocol allows the creator of an email to state any sender address they want. There is no validation that the sender actually controls that address. And even if the receiving mailserver does some form of sender validation, like checking if the IP address of the sender matches the domain they claim to be from, there are also some quirks in the UI of many email readers which can be exploited to display a (fake) email address as the name of the sender.

When you receive some email which claims that you need to do something on some account on some website, and this appears to be plausible (you actually have an account on that site), then take a good look at the URL the link leads to. The domain name says who controls that link. The domain name is the thing which comes before the first slash.

These URLs all lead to Microsoft:

https://microsoft.com/account        
https://account.microsoft.com/account           
https://account.microsoft.com/account?someTrackingId=689392356034706528902345 

The following URLs are examples which do not lead to Microsoft. They all lead to a domains which might be controlled by someone else:

https://microsoft.com.example.com/account  
https://example.com/microsoft.com/account               
https://example.com/?https://account.microsoft.com/account 
https://example.com/#https://account.microsoft.com/account 
https://totallylegitaccountportaljusttrustme-microsoft.com/account
https://microsoft.com:microsoft.com@example.com

The last one is an example of a rarely used URL format which includes an username and a password (which are in this case both microsoft.com). The actual URL being requested is after the @ symbol.

If you decided that the link is probably fine, you click on it and get lead to a login form which looks trustworthy at first glance and did apparently not yet install any malware using drive-by download, then you should also check if the site is loaded over HTTPS (any reputable site will use https-only on their login form) and check if the certificate is actually signed for the company the site claims to be.

Some guides for detecting phishing attempts say that you should look for signs like broken images or non-functional links. I consider this bad advise, because it is based on the prejudice that all phishers are shoddy webmasters. The scene got a lot more professional in the past years. You should focus your attention on those things they can not fake with sufficient effort.

Answer 2

The sender on the email should not be used to determine if an email is legitimate, only can be used to determine when the email is not. An email claiming to be from Paypal and coming from a gmail.com address is obviously fake. An email claiming to come from Microsoft sent from a microsoft.com address could or could not be real.

How to tell the difference? The body of the email.

If the email contains links that point to any service not linked to Microsoft, or shortened links, or links with IP addresses, the email is a phishing attempt.

If the email contains writing errors, usually it is false. If the email is about any service you don't have signed for, it's fake too.

Usually, legitimate emails that contains links will have something on the lines of "copy this link and paste into your browser". If the email contains this line and the link text points to a Microsoft service and the underlined link points exactly to the same address, usually the email is real.

If the email is telling you about something wrong on your account, log in on your account and check, without clicking in the link on the email. Type the address by hand. If there's something wrong, you will see on the site.