[weinzierl]

Who even can be sure microsoftonline.com is legit. Microsoft's domain story is such a mess, I wouldn't be surprised if not even internally they have one complete list of all the domain assets they own.

But they are not alone. It is kind of ironic when companies insist that we check the domain to spot spam but are unable publish a list with all domains they officially use to send mail.

[Abishek_Muthian]

Tangent: I used to receive at least a dozen bank scam calls per day in India, especially during insurance renewal. I wanted the banks to publish official phone numbers and mandate their employees to use only official numbers.

Recently the regulatory bodies did just that and so the banks should only use 1600 numbers to contact their customers. My bank scam calls have dropped to 0.

[nolok]

In France, basically every bank say (show in their app and everything) "if we call you and ask anything like code, confirmation, to do an action, anything, end the call and call us back, don't do anything on a call you didn't initiate".

Same in their app eg you try to do a sepa wire to a new recipient and you get a warning "are you on the phone with someone ? did someone ask you to do that ? please call your bank by pressing this button. By the way we will never call you to ask an auth code or to do a wire"

[mcintyre1994]

A few UK banks detect that you're on a phone call and show a message like "we've never called you" or "we are not calling you right now" in their app, I think that's really smart.

[lelandfe]

The amount of behind the scenes work to get that set up seems impressive.

[spicymaki]

Here is a fun one, my mobile phone company has an account lock along with a pin and OTP over SMS system. In order for me to activate a new device (like an phone upgrade) with eSIM over the phone, I need to unlock my account with account lock, give them the pin over the phone, and read the SMS OTP to the mobile phone rep online. I get doing the account unlock and verbal pin, but I don't get why they ask for the OTP especially when they train us to never share the OTP over the phone. I even asked the rep about it, but he mentioned that you should never share the OTP if you did not initiate the service request. From a security posture point of view I think that stinks. I am not exactly sure how they expect SMS OTP to work in the case where my phone is not functional.

[benhurmarcel]

And then we have the national post office sending its notifications from the scammiest-looking domain they could find: noreply@notif-colissimo-laposte.info

[bayindirh]

In Turkey, if my bank calls me, they also send a push notification telling "We are calling you. The representative's name is $NAME. You can talk safely".

[dawnerd]

Unfortunately in the US, maybe elsewhere, pharmacies and medical offices have trained the elderly it’s okay to verify their dob when they call. Costco does that when they call and it drives me nuts.

[vkou]

US insurers expect you to click on sms links and log in with your username, password, and 2fa all so you can receive a fucking marketing message.

[MichaelZuo]

Why would anyone stick with an insurer that clearly doesn’t give a darn about them?

Just for a discount?

[vkou]

Well, I could go with a different insurer that blatantly and brazenly lies about their network coverage[1], or I could go with one that doesn't, but still doesn't have my doctors in it, or I could go with the other one that people claim consistently denies care and coverage.

Also, if 'Just for a discount' isn't a reason to use them, do you have $3,000 lying around to wire me? If you do, I'll happily switch to a much more expensive insurer that meets my other criteria, and might or might not send me marketing materials disguised as fishing SMS. (I'll let you know if they do.)

---

Insurers aren't banks or ISPs or gas stations. They don't provide a fungible service that is nearly identical from one to the other. You can't 'just switch'. They are both heavily obfuscated, and heavily differentialized, because the healthcare 'market' is obfuscated and heavily balkanized.

And all of them are utter shit, but in different ways, and if you are lucky, you won't discover the ways in which yours is shit.

---

[1] How this isn't a statutory capital crime for anyone with the rank of director and higher, I have no idea. But the fact that the people orchestrating this are permitted in civil society does lead me to believe that maybe we don't live in a just world.

[dawnerd]

Don’t have much of a choice. Gotta love our system.

[hunter2_]

Knowing what numbers are real through an official publication is very good, but it only allows you to place trust in calls you make, not calls you receive, because making calls doesn't involve caller ID, receiving calls does, and caller ID is spoofable.

[4ndrewl]

That's the number one rule though. If someone calls you claiming to be your bank, just say "I'll call you back"

[smcin]

Ask them their name/ last initial, employee ID or unique identifier for the conversation, direct phone number, job title and what location they're based at. Scammers will pretty much always refuse/argue/hang up on this (once I had one start insulting my mother in Hindi when I asked him this). Then call your bank's proper number and verify all of these details.

(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)

[DamonHD]

Unfortunately my UK banks (and others) DO regularly make calls to me unannounced and demand my ID to 'prove who I am'. They are not scam calls and the callers cannot understand what they are doing wrong. If I'd had more strength in the last round of this stupidity I'd have done a number on them with the regulator. (I used to work in finance and was the director of a regulated financial entity, so I think I'd have a head start.)

[smcin]

In the US Caller ID has been so hopelessly compromised (for almost two decades now, that's on Congress) that financial institutions almost never make outbound calls, and only ever use standardized published numbers; I wasn't aware other countries differ so much.

Please tell us more context with regard to your UK banks making multiple unannounced calls demanding your ID ... were you an individual customer? finance director? MD? or what? Why on earth do they do that? Have you told them in writing not to? There must be more backstory to that.

[TeMPOraL]

> They are not scam calls

What are they, then? Sales/marketing calls? Or some security notifications ("we noticed some suspicious operations in the last 3 days...")? If it's the former, that's still scam in my books. Specifically, it's a first-party scam, as opposed to a third-party scam, where some third party pretends to be your bank.

They both should be treated similarly; unfortunately, you can't report first-party scams to police.

[emmelaich]

Same in Australia, I've had genuine calls from a bank asking for my security code for identification purposes.

[cuteboy19]

it is time we have a good industry standard for this stuff

[Cider9986]

Yeah and people call crypto a scam.

It mostly is, but Monero is pretty good.

[zymhan]

That is an unnecessary interrogation, you don't need to verify the initial call at all. Simply call your bank on your own.

[thrownthatway]

I ask them for all of that and their credit card details, mothers maiden name, name of their first pet, first school they went to, and what colour underwear they’re wearing.

I should probably learn how to insult their mother in Hindi too.

[anonzzzies]

Or, which has worked great for me; just never answer the phone. If people need something they will email or chat. If not then it is not going to be important.

[cucumber3732842]

This. If people have a "real" reason to correspond with you they will have no problem making a record of it via a voicemail or text or email or whatever.

[dylan604]

I've had friends that got into a spot of bother and tried calling from an unknown number. If it's a phone you can't text from, then leaving a voice mail with voice transcription is about the only way I'll know it's a friendly call

[jack1142]

Nowadays, when banks call you here, they allow you to verify the bank is actually calling you with the mobile app - you can see their name and number they're calling you from in the app. Also, you can often verify you're you with the app too, same as any other app authorization, so you don't have to share any details over the phone. I feel like this is a pretty good improvement.

[SoftTalker]

That does seem better than blind trust but that app infrastructure could get compromised. I would still be wary in any situation where I did not originate the call with the bank.

[jack1142]

Ye, I only get called by banks when my transaction gets classified as potentially fraudulent (which pretty much just means that it is for a bigger amount of money) or some other even more rare situations like finishing a loan application. Still, I'd rather be double sure that it is the bank that's calling me because I don't want to assume solely based on the convenient timing. If the app infrastructure is compromised, the bank is liable so it feels like less of a problem. If the app does offer authorizing through the app, I shouldn't be asked any personal details that my bank already knows so I (hopefully) would still be wary, if put in such a situation though. Obviously hard to know what I'd actually do unless it actually happens to me.

[Hikikomori]

We have an app called bankid. If my bank calls me they'll ask me to open the app to auth, the app shows that the specific bank initiated auth and also says that they called me.

Same app is used to auth to government pages and all kinds of stuff online, even purchases.

[bdavbdav]

That would take nothing to implement. Services like Truecaller already do live caller ID against databases on iOS / Android. All it would take is a sensible register of verified numbers

[Abishek_Muthian]

Several of the bank scammers had their profile verified as the bank in the Truecaller[1].

[1] https://xcancel.com/Abishek_Muthian/status/18063480222902113...

[l23k4]

Truecaller can tell you about who a phone number belongs to.

Truecaller cannot accurately tell you whether or not the person calling you from a phone number is actually in control of that phone number.

[TeMPOraL]

Won't stop people from trying to make Truecaller, et al. prove that, though.

The problem here is that the correct security posture of the bank against third-party scams also protects the customers from first-party scams. Telling people the bank will never call them for anything, and even if, they're to always hang up and call the number on the back of their card, works equally well against criminals and telemarketers.

[amarant]

Oh man that brings back memories!

"Hello, I'm calling from Blockchain, I would like to talk about your investment portfolio"

it weirded me out they would pretend to be from the underlying technology instead of an exchange or something. I kept thinking I should pretend to be the CEO of TCP/IP or something when they called.

[taskforcegemini]

I was several times called by windows employeesq

[ghoul2]

Recently, banks where also asked to put their official websites/netbanking on *.bank.in domains. I have wanted that for SO long.

[trollied]

My bank has a feature whereby it'll tell you promoinently in their app if they are currently calling you.

[0123456789ABCDE]

is it common for banks to call you?

always though the agreement was: we don't call you, you call us. we'll send letters though.

[ed_elliott_asc]

Isn’t that really easy to spoof?

[qingcharles]

Bluesky is even worse, some of their emails come from "moderation@blueskyweb.xyz".

They have to make posts to assure people it's not a scam, especially as they'll ask you to mail ID etc to that address:

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

[chuckadams]

Hard to beat Outlook 2007 which had some "smart tags" feature that all referenced "5iantlavalamp.com", and things started breaking when that domain expired.

[wizzwizz4]

This story is ludicrous… yet, it seems to check out. https://spamassassin.apache.org/full/3.0.x/dist/rules/25_uri... says this is one of the "Top 125 domains whitelisted by SURBL", and there's an answer on the hyphen site about it: https://www.experts-exchange.com/questions/22812691/What-is-.... Can someone with a Bottom-Surgery account tell us the details?

[reddalo]

The Master-Gender-Switch answer doesn't actually answer, it's just an external link that is now broken.

This is the archived version of that link: https://web.archive.org/web/20110204205739/http://www.people...

[RadiozRadioz]

I'm struggling to find information about this and it's extremely interesting.

Would you please explain more?

[chuckadams]

It's hard to remember many details from almost 20 years ago, I just remember coming across it in email spools while writing anti-spam analysis scripts. Only mention I can find nowadays is https://www.experts-exchange.com/questions/22812691/What-is-....

[varun_ch]

I simultaneously don’t believe this and fully believe this is something they would do. Do you have any sources on this?

[chuckadams]

It's amazing how little information has survived: the only reference I can find right away is https://www.experts-exchange.com/questions/22812691/What-is-...

I was working in anti-spam at the time, so I was eyeballing a lot of raw email dumps and writing analysis scripts for "anomalous" urls, so it popped up fairly frequently.

[qingcharles]

The primary problem is we can't search through time via WayBack Machine where a lot of these things have gone. Took me a while the other day to surface the Choco-Banana Shake Hang which Microsoft deleted from their production site.

https://web.archive.org/web/20000608173453/http://support.mi...

[wizzwizz4]

There are a few archives of Microsoft KB articles. I found this article in Beta Archive wiki's, which has a full-text search. https://www.betaarchive.com/wiki/index.php?title=Microsoft_K...

[chuckadams]

Ah I misremembered one thing, nothing broke because it wasn’t even an existing domain when they used it. That was a different Microsoft domain I was thinking of.

[jquery]

At least Bluesky has an excuse of not being a Fortune 50 company. What’s Microsoft’s excuse?

[lostlogin]

‘We built it 30 years ago, it’s sort of compatible with everything and we will never deprecate.’

It’s not a good excuse…

[donkyrf]

Microsoft is the 4th largest company in the world.

There should be a long list of companies whose policies are worse than theirs.

[vitally3643]

That doesn't follow. I would expect the list of companies worst than Microsoft to be about 4 items long

[vasco]

Sending your id to a social media IS a scam.

[hvb2]

By email... Just to add insult to injury

[fragmede]

What definition of the word scam are you using here? What promise of a product that you pay for that isn't being delivered, with uploading your id to a site on the Internet?

[vasco]

I'm not gonna get hoodwinked into highbrow shenanigans. Social media doesn't need IDs to work, demanding it is a scam.

[stavros]

Defining a word isn't "highbrow shenanigans", although I guess it depends on how you define that.

[vasco]

If you think social media needs your ID for any reasonable cause, we're free to disagree on that. My point was clear, bullshit technicalities on the word scam are meaningless when you understand the meaning.

[7bit]

Rhetoric won't save you from the embarrassing situation you created for yourself. You accused something of being a scam without understanding the definition of the word. Now that your claim has been challenged, you're trying to redefine terms and argue around the issue rather than admit you were wrong.

[bshacklett]

From dictionary.cambridge.org: a dishonest plan for making money or getting an advantage, especially one that involves tricking people:

I can easily see a social media company demanding an ID falling under this definition if the accuser believes that the actual use of said ID will be different or more expansive than implied. That is not an unreasonable assumption, IMO.

[crimsonnoodle58]

> Microsoft's domain story is such a mess

You mean like how they moved from a perfectly legible and rememberable domain like office.com to the strange vanity domain m365.cloud.microsoft?

[WarOnPrivacy]

> Who even can be sure microsoftonline.com is legit.

Yeah. I queried the 1st thing that came to mind and internalmicrosoft.com and microsoftinternal.com are available. With that much potential out there, I'd want to keep my official domain group tight.

[aftbit]

Not only that, but they wrap the links in their email with click tracking provided by domains that have nothing to do with them (Mailgun or whatever). So even if you try to introspect the links you're clicking, they seem to go to a scammy domain even if they're legit!

[cess11]

This was a common issue when I consulted with bankruptcy lawyers and had to figure out what domain assets the company had. Commonly the representatives only knew about some of the domains and we found at least a few more.

Same with third party services, sometimes they used one for something for a while and collected customer or user data there and then stopped but kept paying for it, and forgot they had it. We typically found these through analysis of their accounting.

[lostlogin]

Having a service crap out because someone didn’t pay for the domain is almost a trope. It never occurred to me that the reverse might happen - paying for unused domains.

[doubled112]

We pay for a bunch of old domains because nobody in the org can definitively say we never used it and/or don’t use it anymore.

Easier to just keep paying.

[pixl97]

Not only have you stopped using it, but did any of your customers ever allow list it in the past? Great way to attack customers of some large businesses if you ever see it happen.

[cess11]

And if you don't squat some domains phishing could be a bit easier than otherwise.

[warumdarum]

Remember those indian microsoft support centers and that strange correlation of you being called by a indian microsoft scammer the next day after you called there. Not implying causation.. just..

[inetknght]

> unable publish a list with all domains they officially use to send mail

That's because people report them as spam, so they hop domains to avoid that.

[hnlmorg]

For a company with as much weight in the industry as Microsoft, it would be trivial to ensure their domains don’t end up on spam lists. Heck, because of outlook.com, they control have the spam lists themselves.

The real reason for multiple domains is likely more stupid than that. It’s likely because different teams want to move faster than the whole of Microsoft, so register a domain for their MVP to enable them to prototype like a start up. Because going through the usual hoops with enterprise regarding using their established domains will be a long and torturous process. And before long, their new prototype domain becomes so integrated into their product that adopting it as official is just easier than switching to microsoft.com.

I couldn’t say for sure that’s what has happened here. But it’s the story I’ve seen with domain ownership in other enterprises

[hirsin]

Microsoft.com is also owned by the marketing org, not the engineering org, for various reasons that predate the existence of many employees at Microsoft now.

This is why with rare, rare exceptions nothing "real" is on Microsoft.com including even the login page, with one exception (the passkey domain).

The new cloud.microsoft domain for Office will possibly help, but it's still a heck of a long list - https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...

And IIRC this is just for office and windows, not azure.

[saghm]

Okay, so then they should stop doing stuff like trying to push people to log into Windows with Microsoft accounts instead of offline credentials and then using that as an excuse to send out inane marketing emails that no one wants. "We're doing something shitty as a workaround for the consequences of other shitty things we do" isn't a particularly good reason for not acting so shitty.

[T-A]

https://github.com/HotCakeX/MicrosoftDomains

...and microsoftonline.com is not among them (unlike microsoftonline.net and other variants). But it seems to have been registered in 2002, and the record looks legit:

https://whois.domaintools.com/microsoftonline.com

[balakk]

It's definitely a Microsoft owned domain and actively used - for example in Azure Active Directory (Entra).

[e40]

I did not expect 645 entries!! That is insane.

[KomoD]

microsoftonline.com is in that list.

[T-A]

You're right. I wonder how I managed to miss it. For a moment I thought I must have looked at

https://github.com/HotCakeX/MicrosoftDomains/blob/main/Micro...

but that one doesn't contain any microsoftonline.

[HDBaseT]

1drv.ms always catches me out.

[cuteboy19]

but microsoftgenuinerewardsrc.com is! shameful!

[EGreg]

“So Microsoft’s domain story is a total mess?”

“Always has been.”

https://www.techmonitor.ai/technology/microsoft_forget_to_re...

[gwbas1c]

Seems like it would make sense to only use subdomains of microsoft.com?

[apimade]

Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.

It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.

[10000truths]

> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.

If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.

[antiframe]

Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.

[seb1204]

Why would that not be possible? You can still do that and then once the rabbit is out add it to the main list. Come on, don't let the good be the enemy of the perfect. I'm sure there are several ways to find and list all domains. What bothers me more is that they allowed to have different domains in the first place. Why not sub domains to make it clear.

[antiframe]

That's what I said? Companies can hide domains while they are under development but then they should still maintain a list that they send emails from. I was opposed to legislation that required all registered domains regardless of use being published.

[ntoskrnl_exe]

I got used to that one, but the other day I was checking Outlook in the web browser and I ended up on outlook.cloud.microsoft, I couldn't believe my eyes.

[SoKamil]

> Who even can be sure microsoftonline.com is legit

Spam filters.

[saghm]

I'm either impressed by whatever spam filter you having literally zero false positives or negatives, or I'm confused about what you think it means to "be sure".

[consp]

I have plenty of false negatives, mostly due to companies in know I get a mail from using spamlike html mails, I always verify on the phone it is the mail they send to be sure but it happens way too often.

[butvacuum]

the domain that ever m365 tennant exists on? that microsoftonline.com?

[gr33nq]

I think you may be referring to *.onmicrosoft.com (add that one to the list too...)

[butvacuum]

I walked right into that one.